|
|
|
|
@ -108,7 +108,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { |
|
|
|
|
public void index(HttpServletRequest req, HttpServletResponse resp) { |
|
|
|
|
Map map = BasicUtil.assemblyRequestMap(); |
|
|
|
|
map.forEach((k,v)->{ |
|
|
|
|
map.put(k,v.toString().replaceAll("('|\"|\\\\)","\\$1")); |
|
|
|
|
map.put(k,v.toString().replaceAll("('|\"|\\\\)","\\\\$1")); |
|
|
|
|
}); |
|
|
|
|
map.put(ParserUtil.URL, BasicUtil.getUrl()); |
|
|
|
|
//动态解析
|
|
|
|
|
@ -140,6 +140,9 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { |
|
|
|
|
@GetMapping("/list.do") |
|
|
|
|
public void list(HttpServletRequest req, HttpServletResponse resp) { |
|
|
|
|
Map map = BasicUtil.assemblyRequestMap(); |
|
|
|
|
map.forEach((k,v)->{ |
|
|
|
|
map.put(k,v.toString().replaceAll("('|\"|\\\\)","\\\\$1")); |
|
|
|
|
}); |
|
|
|
|
//获取栏目编号
|
|
|
|
|
int typeId = BasicUtil.getInt(ParserUtil.TYPE_ID,0); |
|
|
|
|
int size = BasicUtil.getInt(ParserUtil.SIZE,10); |
|
|
|
|
@ -205,7 +208,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
orderby= orderby.replaceAll("('|\"|\\\\)","\\$1"); |
|
|
|
|
orderby= orderby.replaceAll("('|\"|\\\\)","\\\\$1"); |
|
|
|
|
PageBean page = new PageBean(); |
|
|
|
|
//用于详情上下页获取当前文章列表对应的分类,根据文章查询只能获取自身分类
|
|
|
|
|
String typeId = BasicUtil.getString(ParserUtil.TYPE_ID,article.getContentCategoryId()); |
|
|
|
|
@ -216,7 +219,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { |
|
|
|
|
Map map = BasicUtil.assemblyRequestMap(); |
|
|
|
|
map.forEach((k,v)->{ |
|
|
|
|
//sql注入过滤
|
|
|
|
|
map.put(k,v.toString().replaceAll("('|\"|\\\\)","\\$1")); |
|
|
|
|
map.put(k,v.toString().replaceAll("('|\"|\\\\)","\\\\$1")); |
|
|
|
|
}); |
|
|
|
|
//动态解析
|
|
|
|
|
map.put(ParserUtil.IS_DO,true); |
|
|
|
|
@ -340,7 +343,8 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { |
|
|
|
|
if (field != null) { |
|
|
|
|
for (Map.Entry<String, Object> entry : field.entrySet()) { |
|
|
|
|
if (entry != null) { |
|
|
|
|
String value = entry.getValue().toString().replaceAll("('|\"|\\\\)","\\$1"); // 处理由get方法请求中文乱码问题
|
|
|
|
|
String value = entry.getValue().toString().replaceAll("('|\"|\\\\)","\\\\$1"); // 处理由get方法请求中文乱码问题
|
|
|
|
|
value=clearXss(value); |
|
|
|
|
if (ObjectUtil.isNull(value)) { |
|
|
|
|
continue; |
|
|
|
|
} |
|
|
|
|
@ -379,7 +383,8 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { |
|
|
|
|
StringBuilder urlParams=new StringBuilder(); |
|
|
|
|
searchMap.forEach((k,v)->{ |
|
|
|
|
//sql注入过滤
|
|
|
|
|
searchMap.put(k,v.toString().replaceAll("('|\"|\\\\)","\\$1")); |
|
|
|
|
searchMap.put(k,v.toString().replaceAll("('|\"|\\\\)","\\\\$1")); |
|
|
|
|
searchMap.put(k,clearXss(searchMap.get(k).toString())); |
|
|
|
|
urlParams.append(k).append("=").append(searchMap.get(k)).append("&"); |
|
|
|
|
}); |
|
|
|
|
|
|
|
|
|
@ -443,6 +448,23 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction { |
|
|
|
|
this.outString(response, content); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// 清除路径中的转义字符
|
|
|
|
|
private String clearXss(String value) { |
|
|
|
|
|
|
|
|
|
if (value == null || "".equals(value)) { |
|
|
|
|
return value; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
value = value.replaceAll("<", "<").replaceAll(">", ">"); |
|
|
|
|
value = value.replaceAll("\\(", "(").replace("\\)", ")"); |
|
|
|
|
value = value.replaceAll("'", "'"); |
|
|
|
|
value = value.replaceAll("eval\\((.*)\\)", ""); |
|
|
|
|
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", |
|
|
|
|
"\"\""); |
|
|
|
|
value = value.replace("script", ""); |
|
|
|
|
|
|
|
|
|
return value; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/** |
|
|
|
|
* 存储自定义模型字段和接口参数 |
|
|
|
|
|
sgjj
5 years ago