移除 Apache-common-text 包，采用 spring 内置的 HtmlUtils 处理 xss 问题

2021-01-23 13:12:31 +08:00 · 2021-01-23 13:12:31 +08:00 · 50dd7c1b83
parent 2dd067170b
commit 50dd7c1b83
2 changed files with 4 additions and 7 deletions
--- a/server/pom.xml
+++ b/server/pom.xml
@ -62,11 +62,6 @@
            <artifactId>commons-lang3</artifactId>
            <version>3.7</version>
        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-            <version>1.9</version>
-        </dependency>
        <!-- REDISSON -->
        <dependency>
            <groupId>org.redisson</groupId>
--- a/server/src/main/java/cn/keking/web/controller/FileController.java
+++ b/server/src/main/java/cn/keking/web/controller/FileController.java
@ -15,8 +15,9 @@ import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;

 import java.io.*;
+import java.nio.charset.StandardCharsets;
 import java.util.*;
-import org.apache.commons.text.StringEscapeUtils;
+import org.springframework.web.util.HtmlUtils;

 /**
 *
@ -39,7 +40,8 @@ public class FileController {
        //判断是否为IE浏览器的文件名，IE浏览器下文件名会带有盘符信息
        
        // escaping dangerous characters to prevent XSS
-        fileName = StringEscapeUtils.escapeHtml4(fileName);
+        fileName = HtmlUtils.htmlEscape(fileName, StandardCharsets.UTF_8.name());
+
        // Check for Unix-style path
        int unixSep = fileName.lastIndexOf('/');
        // Check for Windows-style path