mirror of
				https://gitee.com/kekingcn/file-online-preview.git
				synced 2025-10-26 10:49:16 +08:00 
			
		
		
		
	移除 Apache-common-text 包,采用 spring 内置的 HtmlUtils 处理 xss 问题
This commit is contained in:
		| @@ -15,8 +15,9 @@ import org.springframework.web.bind.annotation.RestController; | ||||
| import org.springframework.web.multipart.MultipartFile; | ||||
|  | ||||
| import java.io.*; | ||||
| import java.nio.charset.StandardCharsets; | ||||
| import java.util.*; | ||||
| import org.apache.commons.text.StringEscapeUtils; | ||||
| import org.springframework.web.util.HtmlUtils; | ||||
|  | ||||
| /** | ||||
|  * | ||||
| @@ -39,7 +40,8 @@ public class FileController { | ||||
|         //判断是否为IE浏览器的文件名,IE浏览器下文件名会带有盘符信息 | ||||
|          | ||||
|         // escaping dangerous characters to prevent XSS | ||||
|         fileName = StringEscapeUtils.escapeHtml4(fileName); | ||||
|         fileName = HtmlUtils.htmlEscape(fileName, StandardCharsets.UTF_8.name()); | ||||
|  | ||||
|         // Check for Unix-style path | ||||
|         int unixSep = fileName.lastIndexOf('/'); | ||||
|         // Check for Windows-style path | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 chenkailing
					chenkailing