From e9be6f71da2227775af01da428afcbc2a1060b74 Mon Sep 17 00:00:00 2001
From: lwklewekwh <12525771+lwklewekwh@user.noreply.gitee.com>
Date: Wed, 22 Mar 2023 03:21:31 +0000
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0xss=E9=BB=91=E5=90=8D?=
 =?UTF-8?q?=E5=8D=95=EF=BC=8C=E5=A2=9E=E5=8A=A0=E4=B8=80=E4=B8=AA=E6=96=B0?=
 =?UTF-8?q?=E7=9A=84xss=E9=BB=91=E5=90=8D=E5=8D=95=E6=A0=87=E7=AD=BEobject?=
 =?UTF-8?q?=20=E6=B7=BB=E5=8A=A0xss=E9=BB=91=E5=90=8D=E5=8D=95=EF=BC=8C?=
 =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E4=B8=80=E4=B8=AA=E6=96=B0=E7=9A=84xss?=
 =?UTF-8?q?=E9=BB=91=E5=90=8D=E5=8D=95=E6=A0=87=E7=AD=BEobject?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: lwklewekwh <12525771+lwklewekwh@user.noreply.gitee.com>
---
 .../filter/XssAndSqlHttpServletRequestWrapper.java       | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/main/java/cc/iteachyou/cms/security/filter/XssAndSqlHttpServletRequestWrapper.java b/src/main/java/cc/iteachyou/cms/security/filter/XssAndSqlHttpServletRequestWrapper.java
index bb55012..0c177ac 100644
--- a/src/main/java/cc/iteachyou/cms/security/filter/XssAndSqlHttpServletRequestWrapper.java
+++ b/src/main/java/cc/iteachyou/cms/security/filter/XssAndSqlHttpServletRequestWrapper.java
@@ -260,6 +260,15 @@ public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrappe
 			if (flag) {
 				return flag;
 			}
+
+            //object
+            scriptPattern = Pattern.compile("svg[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']",
+					Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
+			flag = scriptPattern.matcher(value).find();
+			if (flag) {
+				return flag;
+			}
+            
             //source
             scriptPattern = Pattern.compile("source[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']",
 					Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
-- 
Gitee