文本文档加入缓存，安全修复XSS，美化404、500报错等，新增SVG格式预览，ofd优化印章渲染兼容性 (#413)

1、文本文档加入缓存 2、安全修复XSS(跨站脚本攻击) 3、美化404、500报错等 5、新增 SVG格式预览 5、ofd优化印章渲染兼容性 Co-authored-by: gaoxiongzaq <admin@cxcp.com>
2026-03-15 05:33:52 +08:00 · 2022-12-16 23:58:26 +08:00
parent bb63808767
commit 8c6f5bf807
19 changed files with 41477 additions and 40965 deletions
--- a/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java
+++ b/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java
@@ -6,6 +6,7 @@ import cn.keking.service.FilePreview;
 import cn.keking.service.FilePreviewFactory;
 import cn.keking.service.cache.CacheService;
 import cn.keking.service.impl.OtherFilePreviewImpl;
+import cn.keking.utils.KkFileUtils;
 import cn.keking.utils.WebUtils;
 import fr.opensagres.xdocreport.core.io.IOUtils;
 import io.mola.galimatias.GalimatiasParseException;
@@ -17,7 +18,6 @@ import org.springframework.ui.Model;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.util.HtmlUtils;

 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -53,10 +53,6 @@ public class OnlinePreviewController {

    @GetMapping( "/onlinePreview")
    public String onlinePreview(String url, Model model, HttpServletRequest req) {
-        if (url == null || url.length() == 0){
-            logger.info("URL异常：{}", url);
-            return otherFilePreview.notSupportedFile(model, "NULL地址不允许预览");
-        }
        String fileUrl;
        try {
            fileUrl = WebUtils.decodeUrl(url);
@@ -73,15 +69,11 @@ public class OnlinePreviewController {

    @GetMapping( "/picturesPreview")
    public String picturesPreview(String urls, Model model, HttpServletRequest req) {
-        if (urls == null || urls.length() == 0){
-            logger.info("URL异常：{}", urls);
-            return otherFilePreview.notSupportedFile(model, "NULL地址不允许预览");
-        }
        String fileUrls;
        try {
            fileUrls = WebUtils.decodeUrl(urls);
            // 防止XSS攻击
-            fileUrls = HtmlUtils.htmlEscape(fileUrls);
+            fileUrls = KkFileUtils.htmlEscape(fileUrls);
        } catch (Exception ex) {
            String errorMsg = String.format(BASE64_DECODE_ERROR_MSG, "urls");
            return otherFilePreview.notSupportedFile(model, errorMsg);
@@ -94,6 +86,7 @@ public class OnlinePreviewController {
        String currentUrl = req.getParameter("currentUrl");
        if (StringUtils.hasText(currentUrl)) {
            String decodedCurrentUrl = new String(Base64.decodeBase64(currentUrl));
+                   decodedCurrentUrl = KkFileUtils.htmlEscape(decodedCurrentUrl);   // 防止XSS攻击
            model.addAttribute("currentUrl", decodedCurrentUrl);
        } else {
            model.addAttribute("currentUrl", imgUrls.get(0));
@@ -110,13 +103,6 @@ public class OnlinePreviewController {
     */
    @GetMapping("/getCorsFile")
    public void getCorsFile(String urlPath, HttpServletResponse response) throws IOException {
-        if (urlPath == null || urlPath.length() == 0){
-            logger.info("URL异常：{}", urlPath);
-            response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
-            response.setHeader("Content-Type", "text/html; charset=UTF-8");
-            response.getWriter().println("NULL地址不允许预览");
-            return;
-        }
        try {
            urlPath = WebUtils.decodeUrl(urlPath);
        } catch (Exception ex) {
--- a/server/src/main/java/cn/keking/web/filter/AttributeSetFilter.java
+++ b/server/src/main/java/cn/keking/web/filter/AttributeSetFilter.java
@@ -2,6 +2,7 @@ package cn.keking.web.filter;

 import cn.keking.config.ConfigConstants;
 import cn.keking.config.WatermarkConfigConstants;
+import cn.keking.utils.KkFileUtils;

 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
@@ -46,7 +47,7 @@ public class AttributeSetFilter implements Filter {
     * @param request request
     */
    private void setWatermarkAttribute(ServletRequest request) {
-        String watermarkTxt = request.getParameter("watermarkTxt");
+        String watermarkTxt= KkFileUtils.htmlEscape(request.getParameter("watermarkTxt"));
        request.setAttribute("watermarkTxt", watermarkTxt != null ? watermarkTxt : WatermarkConfigConstants.getWatermarkTxt());
        String watermarkXSpace = request.getParameter("watermarkXSpace");
        request.setAttribute("watermarkXSpace", watermarkXSpace != null ? watermarkXSpace : WatermarkConfigConstants.getWatermarkXSpace());
--- a/server/src/main/java/cn/keking/web/filter/TrustDirFilter.java
+++ b/server/src/main/java/cn/keking/web/filter/TrustDirFilter.java
@@ -8,6 +8,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.util.FileCopyUtils;
+import org.springframework.util.StringUtils;

 import javax.servlet.*;
 import java.io.IOException;
@@ -55,6 +56,9 @@ public class TrustDirFilter implements Filter {
    }

    private boolean allowPreview(String urlPath) {
+        if(!StringUtils.hasText(urlPath)){
+            return false ;
+        }
        try {
            URL url = WebUtils.normalizedURL(urlPath);
            if ("file".equals(url.getProtocol().toLowerCase(Locale.ROOT))) {