HTML过滤器改为将html转义

ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java

@@ -144,7 +144,10 @@ public class EscapeUtil
 
     public static void main(String[] args)
     {
-        String html = "alert('11111');";
+        String html = "<script>alert(1);</script>";
+        // String html = "<scr<script>ipt>alert(\"XSS\")</scr<script>ipt>";
+        // String html = "<123";
+        // String html = "123>";
         System.out.println(EscapeUtil.clean(html));
         System.out.println(EscapeUtil.escape(html));
         System.out.println(EscapeUtil.unescape(html));

ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java

@@ -131,7 +131,7 @@ public final class HTMLFilter
         vAllowedEntities = new String[] { "amp", "gt", "lt", "quot" };
         stripComment = true;
         encodeQuotes = true;
-        alwaysMakeTags = true;
+        alwaysMakeTags = false;
     }
 
     /**
@@ -208,7 +208,7 @@ public final class HTMLFilter
 
         s = processRemoveBlanks(s);
 
-        s = validateEntities(s);
+        // s = validateEntities(s);
 
         return s;
     }
@@ -245,6 +245,7 @@ public final class HTMLFilter
             // try and form html
             //
             s = regexReplace(P_END_ARROW, "", s);
+            // 不追加结束标签
             s = regexReplace(P_BODY_TO_END, "<$1>", s);
             s = regexReplace(P_XML_CONTENT, "$1<$2", s);