Java Code Examples for com.xnx3.StringUtil#filterXss()

public BaseVO updateNickname(HttpServletRequest request) {
	BaseVO baseVO = new BaseVO();
	String nickname = StringUtil.filterXss(request.getParameter("nickname"));
	if(nickname == null){
		nickname = "";
	}
	if(nickname.length()==0){
		baseVO.setBaseVO(BaseVO.FAILURE, Language.show("user_updateNicknameNotNull"));
		return baseVO;
	}
	if(nickname.length()>15){
		baseVO.setBaseVO(BaseVO.FAILURE, Language.show("user_updateNicknameSizeFailure"));
		return baseVO;
	}
	
	User u = sqlDAO.findById(User.class, ShiroFunc.getUser().getId());
	u.setNickname(nickname);
	sqlDAO.save(u);
	ShiroFunc.getUser().setNickname(nickname);
	baseVO.setInfo(nickname);
	
	return baseVO;
}
 

/**
 * 保存公告
 * @param value 要更改的公告的信息，
 */
@RequiresPermissions("agencyIndex")
@RequestMapping("saveNotice${url.suffix}")
@ResponseBody
public BaseVO saveNotice(HttpServletRequest request,
		@RequestParam(value = "value", required = true) String value){
	Agency agency = getMyAgency();
	if(agency == null){
		return error("您不是代理，无权操作");
	}
	value = StringUtil.filterXss(value);
	
	AgencyData agencyData = sqlService.findAloneBySqlQuery("SELECT * FROM agency_data WHERE id = "+getMyAgency().getId(), AgencyData.class);
	if(agencyData == null){
		//兼容4.4版本以前的。这个功能是4.4版本才增加的
		agencyData = new AgencyData();
		agencyData.setId(agency.getId());
	}
	agencyData.setNotice(value);
	sqlService.save(agencyData);
	
	//更新session缓存
	com.xnx3.wangmarket.admin.Func.getUserBeanForShiroSession().setMyAgencyData(agencyData);
			
	//记录操作日志
	AliyunLog.addActionLog(agencyData.getId(), "代理更改公告");
	
	return success();
}
 

/**
 * 获取json的某个 String 的值，并进行xss过滤
 */
public String getJsonStringAndFilterXSS(JSONObject json, String key){
	if(json == null){
		return "";
	}
	if(json.get(key) == null){
		return "";
	}
	
	return StringUtil.filterXss(getJsonString(json.getString(key)));
}
 

/**
 * 发送手机号登录的验证码
 * @param request {@link HttpServletRequest}
 * 			<br/>form表单需提交参数：phone(发送到的手机号)
 * @return {@link BaseVO}
 */
public BaseVO sendPhoneLoginCode(HttpServletRequest request) {
	String phone = StringUtil.filterXss(request.getParameter("phone"));
	BaseVO baseVO = sendSMS(request, phone, SmsLog.TYPE_LOGIN);
	if(baseVO.getResult() - BaseVO.SUCCESS == 0){
		//发送短信
		String result = SMSUtil.send(phone, Language.show("sms_loginSendCodeText").replaceAll("\\$\\{code\\}", baseVO.getInfo()+""));
		if(result == null){
			baseVO.setBaseVO(BaseVO.SUCCESS, Language.show("sms_codeSendYourPhoneSuccess"));
		}else{
			baseVO.setBaseVO(BaseVO.FAILURE, Language.show("sms_saveFailure")+"-"+result);
		}
	}
	return baseVO;
}
 

/**
 * 提交反馈信息，只限 post 提交
 * @param id 要删除的输入模型的id，对应 {@link InputModel}.id
 */
@RequestMapping(value="formAdd${url.suffix}", method = RequestMethod.POST)
@ResponseBody
public BaseVO formAdd(HttpServletRequest request, Model model,
		@RequestParam(value = "siteid", required = false , defaultValue="0") int siteid,
		@RequestParam(value = "title", required = false , defaultValue="") String title){
	String ip = IpUtil.getIpAddress(request);
	Frequency frequency = frequencyMap.get(ip);
	int currentTime = DateUtil.timeForUnix10();	//当前10位时间戳
	//今天尚未提交过，那么创建一个记录
	if(frequency == null){
		frequency = new Frequency();
		frequency.setIp(ip);
	}
	
	//判断当前是否允许提交反馈信息，如果不允许，需要记录，并返回不允许的提示。
	if(frequency.getForbidtime() > currentTime){
		//间隔时间太短，不允许提交反馈信息
		frequency.setErrorNumber(frequency.getErrorNumber()+1);
		frequencyMap.put(ip, frequency);	//临时存储，这个存储时间是一天,每天清除一次
		return error("距离上次提交时间太短，等会再试试吧");
	}
	
	/** 下面就是允许提交的逻辑处理了 **/
	frequency.setLasttime(currentTime);	//设置当前为最后一次提交的时间
	frequency.setForbidtime(currentTime + FeedbackTimeInterval);	//设置下次允许提交反馈的时间节点，这个时间节点之前是不允许在此提交的
	frequencyMap.put(ip, frequency);	//临时存储，这个存储时间是一天,每天清除一次
	
	
	title = StringUtil.filterXss(title);
	if(siteid <= 0){
		return error("请传入您的站点id（siteid），不然，怎么知道此反馈表单是属于哪个网站的呢？");
	}
	
	Form form = new Form();
	form.setAddtime(DateUtil.timeForUnix10());
	form.setSiteid(siteid);
	form.setState(Form.STATE_UNREAD);
	form.setTitle(title);
	sqlService.save(form);
	if(form.getId() != null && form.getId() > 0){
		//成功，进而存储具体内容。存储内容时，首先要从提交的数据中，便利出所有表单数据.这里是原始提交的结果，需要进行xss过滤
		Map<String, String[]> params = new HashMap<String, String[]>();
		params.putAll(request.getParameterMap());
		//删除掉siteid、title的参数
		params.remove("siteid");
		if(params.get("title") != null){
			params.remove("title");
		}
		
		JSONArray jsonArray = new JSONArray();	//text文本框所存储的内容
		for (Map.Entry<String, String[]> entry : params.entrySet()) { 
			JSONObject json = new JSONObject();
			JSONArray valueJsonArray = new JSONArray();
			
			for (int i = 0; i < entry.getValue().length; i++) {
				valueJsonArray.add(StringUtil.filterXss(entry.getValue()[i]));
			}
			json.put(StringUtil.filterXss(entry.getKey()), valueJsonArray);
			jsonArray.add(json);
		}
		String text = jsonArray.toString();
		if(text.length() > textMaxLength){
			return error("信息太长，非法提交！");
		}
		
		FormData formData = new FormData();
		formData.setId(form.getId());
		formData.setText(text);
		sqlService.save(formData);
		
		//记录日志
		AliyunLog.addActionLog(form.getId(), "提交表单反馈", form.getTitle());
		
		return success();
	}else{
		return error("保存失败");
	}
	
}
 

/**
 * 修改站点绑定的域名
 * @param siteid v2.1版本中以废弃，从Session中拿Site
 */
@RequestMapping(value="updateBindDomain${url.suffix}", method = RequestMethod.POST)
@ResponseBody
public BaseVO updateBindDomain(Model model,HttpServletRequest request,
		@RequestParam(value = "bindDomain", required = false , defaultValue="") String bindDomain){
	BaseVO vo = new BaseVO();
	
	bindDomain = StringUtil.filterXss(bindDomain);
	
	//v3.0版本更新，若不填写，则是绑定空的字符串，也就是解除之前的域名绑定！
	if(bindDomain.length() == 0){
		//为空，则是取消域名绑定
	}else{
		//查询此域名是否被绑定过了
		int scount = sqlService.count("site", "WHERE bind_domain = '"+bindDomain+"'");
		if(scount > 0){
			vo.setBaseVO(BaseVO.FAILURE, "此域名已经被绑定过了！");
			return vo;
		}
	}
	
	//v2.1更新，直接从Session中拿site.id
	Site site = sqlService.findById(Site.class, getSiteId());
	String oldBindDomain = site.getBindDomain();
	site.setBindDomain(bindDomain);
	sqlService.save(site);
	
	//更新域名服务器
	MQBean mqBean = new MQBean();
	mqBean.setType(MQBean.TYPE_BIND_DOMAIN);
	mqBean.setOldValue(oldBindDomain);
	mqBean.setSimpleSite(new SimpleSite(site));
	siteService.updateDomainServers(mqBean);
	
	//刷新Session缓存
	Func.getUserBeanForShiroSession().setSite(site);
	
	//刷新site.js
	new com.xnx3.wangmarket.admin.cache.Site().site(site,imService.getImByCache());
	
	AliyunLog.addActionLog(site.getId(), "修改站点绑定的域名为："+site.getBindDomain());
	return vo;
}
 

/**
	 * 用户开通账户并创建网站，进行提交保存
	 * @param username 用户名
	 * @param email 邮箱，可为空
	 * @param password 密码
	 * @param phone 手机号
	 * @param code 手机验证码
	 * @param clilent 网站类型
	 */
	@RequestMapping(value="userCreateSite${url.suffix}", method = RequestMethod.POST)
	@ResponseBody
	public BaseVO userCreateSite(HttpServletRequest request,
			@RequestParam(value = "username", required = false , defaultValue="") String username,
			@RequestParam(value = "email", required = false , defaultValue="") String email,
			@RequestParam(value = "password", required = false , defaultValue="") String password,
			@RequestParam(value = "phone", required = false , defaultValue="") String phone,
			@RequestParam(value = "code", required = false , defaultValue="") String code
//			@RequestParam(value = "clilent", required = false , defaultValue="3") Short client
			){
		if(Global.getInt("ALLOW_USER_REG") == 0){
			return error("抱歉，当前禁止用户自行注册开通网站！");
		}
		username = StringUtil.filterXss(username);
		email = filter(email);
		phone = filter(phone);
		code = filter(code);
		
		//判断用户的短信验证码
//		BaseVO verifyVO = smsLogService.verifyPhoneAndCode(phone, code, SmsLog.TYPE_REG, 300);
//		if(verifyVO.getResult() - BaseVO.FAILURE == 0){
//			return verifyVO;
//		}
		
		//注册用户
		User user = new User();
		user.setUsername(username);
		user.setPhone(phone);
		user.setEmail(email);
		user.setPassword(password);
		user.setOssSizeHave(G.REG_GENERAL_OSS_HAVE);
		BaseVO userVO = userService.reg(user, request);
		if(userVO.getResult() - BaseVO.FAILURE == 0){
			return userVO;
		}
		
		//为此用户设置其自动登录成功
		int userid = Lang.stringToInt(userVO.getInfo(), 0);
		if(userid == 0){
			ActionLogCache.insert(request, "warn", "自助开通网站，自动创建账号出现问题。info:"+userVO.getInfo());
			return error("自动创建账号出现问题");
		}
		BaseVO loginVO = userService.loginByUserid(request,userid);
		if(loginVO.getResult() - BaseVO.FAILURE == 0){
			return loginVO;
		}
		UserBean userBean = new UserBean();
		//将拥有所有功能的管理权限，将功能菜单全部遍历出来，赋予这个用户
		Map<String, String> menuMap = new HashMap<String, String>();
		for (TemplateMenuEnum e : TemplateMenuEnum.values()) {
			menuMap.put(e.id, "1");
		}
		userBean.setSiteMenuRole(menuMap);
		ShiroFunc.getCurrentActiveUser().setObj(userBean);
		
		//开通网站
		Site site = new Site();
		site.setExpiretime(DateUtil.timeForUnix10() + 31622400);	//到期，一年后，366天后
		site.setClient(Site.CLIENT_CMS);	// v4.11更新 创建网站默认是 CMS 类型
		site.setPhone(phone);
		site.setName("网站名字");
		SiteVO siteVO = siteService.saveSite(site, userid, request);
		AliyunLog.addActionLog(userid, "自助创建网站提交保存",(siteVO.getResult() - SiteVO.SUCCESS == 0 ? "成功":"失败")+",username:"+user.getUsername());
		if(siteVO.getResult() - SiteVO.SUCCESS == 0){
			/**
			 * 免费通道
			 */
			
			return success();
		}else{
			return error(siteVO.getInfo());
		}
	}
 

/**
 * 过滤安全隐患，进行xss、sql注入过滤
 * @return 过滤好的字符
 */
public String filter(String text){
	return StringUtil.filterXss(Sql.filter(text));
}
 

/**
 * 进行xss、sql注入等过滤，常用于用户输入
 * @param text 要过滤得字符串
 * @return 过滤好的字符
 */
public static String filter(String text){
	return StringUtil.filterXss(Sql.filter(text));
}