Skip to content

Commit 890d3f4

Browse files
csfwffcsfwff
committed
Merge branch 'master' of https://github.com/FishPiOffical/rhythm 
2 parents 5153886 + cf23e0c commit 890d3f4

File tree

1 file changed

+34
-6
lines changed

1 file changed

+34
-6
lines changed

src/main/java/org/b3log/symphony/processor/ChatroomProcessor.java

Lines changed: 34 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -228,12 +228,14 @@ protected boolean removeEldestEntry(Map.Entry eldest) {
228228
}
229229
});
230230
public void genMetal(final RequestContext context) {
231-
Set<String> params = context.getRequest().getParameterNames();
232-
String paramString = "";
233-
for (String param : params) {
234-
paramString += param + "=" + context.getRequest().getParameter(param) + "&";
235-
}
236-
paramString = "?" + paramString.substring(0, paramString.length() - 1);
231+
String ver = safeParam(context.param("ver"), "ver");
232+
String scale = safeParam(context.param("scale"), "scale");
233+
String txt = safeParam(context.param("txt"), "txt");
234+
String url = safeParam(context.param("url"), "url");
235+
String backcolor = safeParam(context.param("backcolor"), "backcolor");
236+
String fontcolor = safeParam(context.param("fontcolor"), "fontcolor");
237+
String paramString = "?ver=" + ver + "&scale=" + scale + "&txt=" + txt + "&url=" + url + "&backcolor=" + backcolor + "&fontcolor=" + fontcolor;
238+
237239
String body = "";
238240
if (!metalCache.containsKey(paramString)) {
239241
String genUrl = Symphonys.get("gen.metal.url") + paramString;
@@ -254,6 +256,32 @@ public void genMetal(final RequestContext context) {
254256
context.getResponse().sendBytes(body.getBytes());
255257
}
256258

259+
public static String safeParam(String value, String type) {
260+
if (value == null) return "";
261+
262+
if ("ver".equals(type) || "scale".equals(type)) {
263+
return value.replaceAll("[^\\d.]", "")
264+
.replaceAll("\\.{2,}", ".")
265+
.replaceAll("^[^\\d]+", "")
266+
.replaceAll("(\\..*)\\.", "$1");
267+
} else if ("txt".equals(type)) {
268+
return value.replaceAll("[^\\u4e00-\\u9fa5a-zA-Z0-9\\s,。!?;:“”‘’()【】《》…—~-]", "");
269+
} else if ("url".equals(type)) {
270+
String filtered = value.replaceAll("[^\\u4e00-\\u9fa5a-zA-Z0-9\\-._~:/?#@!$&'()*+,;=%]", "");
271+
return filtered.startsWith("https://file.fishpi.cn") ? filtered : "";
272+
} else if ("fontcolor".equals(type)) {
273+
return value.replaceAll("[^0-9a-fA-F]", "")
274+
.substring(0, Math.min(6, value.length()))
275+
.toLowerCase();
276+
} else if ("backcolor".equals(type)) {
277+
return value.replaceAll("[^0-9a-fA-F,]", "")
278+
.substring(0, Math.min(13, value.length()))
279+
.toLowerCase();
280+
}
281+
return value;
282+
}
283+
284+
257285
public void nodePush(final RequestContext context) {
258286
final JSONObject requestJSONObject = context.requestJSON();
259287
String adminKey = requestJSONObject.optString("adminKey");

0 commit comments

Comments
 (0)