From 50dd7c1b8385c10ce6275dbca98ef815017c796f Mon Sep 17 00:00:00 2001
From: chenkailing <632104866@qq.com>
Date: Sat, 23 Jan 2021 13:12:31 +0800
Subject: [PATCH] =?UTF-8?q?=E7=A7=BB=E9=99=A4=20Apache-common-text=20?=
 =?UTF-8?q?=E5=8C=85=EF=BC=8C=E9=87=87=E7=94=A8=20spring=20=E5=86=85?=
 =?UTF-8?q?=E7=BD=AE=E7=9A=84=20HtmlUtils=20=E5=A4=84=E7=90=86=20xss=20?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/pom.xml                                              | 5 -----
 .../main/java/cn/keking/web/controller/FileController.java  | 6 ++++--
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/server/pom.xml b/server/pom.xml
index e35e959a..d9862b49 100644
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -62,11 +62,6 @@
             <artifactId>commons-lang3</artifactId>
             <version>3.7</version>
         </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-            <version>1.9</version>
-        </dependency>
         <!-- REDISSON -->
         <dependency>
             <groupId>org.redisson</groupId>
diff --git a/server/src/main/java/cn/keking/web/controller/FileController.java b/server/src/main/java/cn/keking/web/controller/FileController.java
index 33f06f8c..94b98c4a 100644
--- a/server/src/main/java/cn/keking/web/controller/FileController.java
+++ b/server/src/main/java/cn/keking/web/controller/FileController.java
@@ -15,8 +15,9 @@ import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;
 
 import java.io.*;
+import java.nio.charset.StandardCharsets;
 import java.util.*;
-import org.apache.commons.text.StringEscapeUtils;
+import org.springframework.web.util.HtmlUtils;
 
 /**
  *
@@ -39,7 +40,8 @@ public class FileController {
         //判断是否为IE浏览器的文件名，IE浏览器下文件名会带有盘符信息
         
         // escaping dangerous characters to prevent XSS
-        fileName = StringEscapeUtils.escapeHtml4(fileName);
+        fileName = HtmlUtils.htmlEscape(fileName, StandardCharsets.UTF_8.name());
+
         // Check for Unix-style path
         int unixSep = fileName.lastIndexOf('/');
         // Check for Windows-style path