From 037a7577e68e58eb1a5cbce14dfa306d966fa905 Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 4 Apr 2023 15:03:48 +0800 Subject: [PATCH] Fix Stored XSS Vulnerability in the System Notification Feature --- .../system/service/impl/SysNoticeServiceImpl.java | 10 +++++++++- pom.xml | 8 ++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/pear-modules/pear-system/src/main/java/com/pearadmin/system/service/impl/SysNoticeServiceImpl.java b/pear-modules/pear-system/src/main/java/com/pearadmin/system/service/impl/SysNoticeServiceImpl.java index c54496b3..95ee3e30 100644 --- a/pear-modules/pear-system/src/main/java/com/pearadmin/system/service/impl/SysNoticeServiceImpl.java +++ b/pear-modules/pear-system/src/main/java/com/pearadmin/system/service/impl/SysNoticeServiceImpl.java @@ -8,6 +8,7 @@ import com.pearadmin.system.mapper.SysNoticeMapper; import com.pearadmin.system.service.ISysNoticeService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import com.coverity.security.Escape; import java.time.LocalDateTime; import java.util.List; @@ -42,7 +43,14 @@ public class SysNoticeServiceImpl implements ISysNoticeService { */ @Override public List selectSysNoticeList(SysNotice sysNotice) { - return sysNoticeMapper.selectSysNoticeList(sysNotice); + List sysNoticeList = sysNoticeMapper.selectSysNoticeList(sysNotice); + for (SysNotice notice : sysNoticeList) { + String escapedTitle = Escape.html(notice.getTitle()); + String escapedContent = Escape.html(notice.getContent()); + notice.setTitle(escapedTitle); + notice.setContent(escapedContent); + } + return sysNoticeList; } /** diff --git a/pom.xml b/pom.xml index 93c277c6..f48d9321 100644 --- a/pom.xml +++ b/pom.xml @@ -73,6 +73,8 @@ 5.7.0 3.8.0 + + 1.1.1 8 8 @@ -271,6 +273,12 @@ ${commons.net.version} compile + + + com.coverity.security + coverity-escapers + ${coverity.security.version} + -- Gitee