From 5894bc6d956c4ea39fd05dddb0dbf62444ab23b7 Mon Sep 17 00:00:00 2001
From: landaiqing <3517283258@qq.com>
Date: Tue, 15 Oct 2024 18:14:24 +0800
Subject: [PATCH] :sparkles: add xss filter

---
 .../comment_controller/comment_controller.go  | 21 ++++++++++++++++---
 controller/user_controller/user_controller.go |  2 +-
 go.mod                                        |  6 ++++--
 go.sum                                        | 13 +++++++++---
 model/sca_auth_casbin_rule.go                 | 10 ++++-----
 model/sca_comment_likes.go                    |  4 +++-
 utils/xss_filter.go                           | 11 ++++++++++
 7 files changed, 52 insertions(+), 15 deletions(-)
 create mode 100644 utils/xss_filter.go

diff --git a/controller/comment_controller/comment_controller.go b/controller/comment_controller/comment_controller.go
index af4ae24..7d63f99 100644
--- a/controller/comment_controller/comment_controller.go
+++ b/controller/comment_controller/comment_controller.go
@@ -62,7 +62,12 @@ func (CommentController) CommentSubmit(c *gin.Context) {
 	if commentRequest.UserID == commentRequest.Author {
 		isAuthor = 1
 	}
-	commentContent := global.SensitiveManager.Replace(commentRequest.Content, '*')
+	xssFilterContent := utils.XssFilter(commentRequest.Content)
+	if xssFilterContent == "" {
+		result.FailWithMessage(ginI18n.MustGetMessage(c, "CommentSubmitFailed"), c)
+		return
+	}
+	commentContent := global.SensitiveManager.Replace(xssFilterContent, '*')
 	commentReply := model.ScaCommentReply{
 		Content:         commentContent,
 		UserId:          commentRequest.UserID,
@@ -131,7 +136,12 @@ func (CommentController) ReplySubmit(c *gin.Context) {
 	if replyCommentRequest.UserID == replyCommentRequest.Author {
 		isAuthor = 1
 	}
-	commentContent := global.SensitiveManager.Replace(replyCommentRequest.Content, '*')
+	xssFilterContent := utils.XssFilter(replyCommentRequest.Content)
+	if xssFilterContent == "" {
+		result.FailWithMessage(ginI18n.MustGetMessage(c, "CommentSubmitFailed"), c)
+		return
+	}
+	commentContent := global.SensitiveManager.Replace(xssFilterContent, '*')
 	commentReply := model.ScaCommentReply{
 		Content:         commentContent,
 		UserId:          replyCommentRequest.UserID,
@@ -202,7 +212,12 @@ func (CommentController) ReplyReplySubmit(c *gin.Context) {
 	if replyReplyRequest.UserID == replyReplyRequest.Author {
 		isAuthor = 1
 	}
-	commentContent := global.SensitiveManager.Replace(replyReplyRequest.Content, '*')
+	xssFilterContent := utils.XssFilter(replyReplyRequest.Content)
+	if xssFilterContent == "" {
+		result.FailWithMessage(ginI18n.MustGetMessage(c, "CommentSubmitFailed"), c)
+		return
+	}
+	commentContent := global.SensitiveManager.Replace(xssFilterContent, '*')
 	commentReply := model.ScaCommentReply{
 		Content:         commentContent,
 		UserId:          replyReplyRequest.UserID,
diff --git a/controller/user_controller/user_controller.go b/controller/user_controller/user_controller.go
index d2976eb..bf9b0c0 100644
--- a/controller/user_controller/user_controller.go
+++ b/controller/user_controller/user_controller.go
@@ -249,7 +249,7 @@ func (UserController) RefreshHandler(c *gin.Context) {
 	}
 	data, res := userService.RefreshTokenService(request.RefreshToken)
 	if !res {
-		result.FailWithMessage(ginI18n.MustGetMessage(c, "LoginExpired"), c)
+		result.FailWithCodeAndMessage(403, ginI18n.MustGetMessage(c, "LoginExpired"), c)
 		return
 	}
 	result.OkWithData(data, c)
diff --git a/go.mod b/go.mod
index 62362b0..b9e3149 100644
--- a/go.mod
+++ b/go.mod
@@ -21,6 +21,7 @@ require (
 	github.com/juju/ratelimit v1.0.2
 	github.com/lionsoul2014/ip2region/binding/golang v0.0.0-20240510055607-89e20ab7b6c6
 	github.com/lxzan/gws v1.8.8
+	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/mssola/useragent v1.0.0
 	github.com/nsqio/go-nsq v1.1.0
 	github.com/pkg6/go-sms v0.1.2
@@ -34,6 +35,7 @@ require (
 	github.com/wenlng/go-captcha/v2 v2.0.1
 	github.com/wumansgy/goEncrypt v1.1.0
 	github.com/yitter/idgenerator-go v1.3.3
+	github.com/zmexing/go-sensitive-word v1.3.0
 	go.mongodb.org/mongo-driver v1.17.0
 	golang.org/x/crypto v0.27.0
 	golang.org/x/text v0.18.0
@@ -48,6 +50,7 @@ require (
 	github.com/ArtisanCloud/PowerSocialite/v3 v3.0.7 // indirect
 	github.com/KyleBanks/depth v1.2.1 // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
+	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
 	github.com/bytedance/sonic v1.12.2 // indirect
 	github.com/bytedance/sonic/loader v0.2.0 // indirect
@@ -72,7 +75,6 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.22.1 // indirect
 	github.com/go-sql-driver/mysql v1.8.1 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
@@ -80,6 +82,7 @@ require (
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d // indirect
+	github.com/gorilla/css v1.0.1 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -121,7 +124,6 @@ require (
 	github.com/xdg-go/scram v1.1.2 // indirect
 	github.com/xdg-go/stringprep v1.0.4 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
-	github.com/zmexing/go-sensitive-word v1.3.0 // indirect
 	go.opentelemetry.io/otel v1.30.0 // indirect
 	go.opentelemetry.io/otel/trace v1.30.0 // indirect
 	go.uber.org/mock v0.4.0 // indirect
diff --git a/go.sum b/go.sum
index c4ad219..a100ef5 100644
--- a/go.sum
+++ b/go.sum
@@ -38,6 +38,8 @@ github.com/acmestack/gorm-plus v0.1.5 h1:8FhGeZ1fQpebtT8vgL0Gkt2sJkGjDFitYWnU/Ym
 github.com/acmestack/gorm-plus v0.1.5/go.mod h1:qGJTQQkQ7ttaov5lIKLshyGaPdtVvJab0Td8iI08XLA=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
+github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
+github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwNy7PA4I=
 github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
@@ -116,8 +118,6 @@ github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaC
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
 github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
@@ -149,6 +149,8 @@ github.com/google/pprof v0.0.0-20241001023024-f4c0cfd0cf1d/go.mod h1:vavhavw2zAx
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
+github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
@@ -216,6 +218,8 @@ github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S
 github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
+github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
 github.com/microsoft/go-mssqldb v1.6.0/go.mod h1:00mDtPbeQCRGC1HwOOR5K/gr30P1NcEG0vx6Kbv2aJU=
 github.com/microsoft/go-mssqldb v1.7.2 h1:CHkFJiObW7ItKTJfHo1QX7QBBD1iV+mn1eOyRP3b/PA=
 github.com/microsoft/go-mssqldb v1.7.2/go.mod h1:kOvZKUdrhhFQmxLZqbwUV0rHkNkZpthMITIb2Ko1IoA=
@@ -238,6 +242,8 @@ github.com/nsqio/go-nsq v1.1.0 h1:PQg+xxiUjA7V+TLdXw7nVrJ5Jbl3sN86EhGCQj4+FYE=
 github.com/nsqio/go-nsq v1.1.0/go.mod h1:vKq36oyeVXgsS5Q8YEO7WghqidAVXQlcFxzQbQTuDEY=
 github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4=
 github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag=
+github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
+github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/orcaman/concurrent-map/v2 v2.0.1 h1:jOJ5Pg2w1oeB6PeDurIYf6k9PQ+aTITr/6lP/L/zp6c=
 github.com/orcaman/concurrent-map/v2 v2.0.1/go.mod h1:9Eq3TG2oBe5FirmYWQfYO5iH1q0Jv47PLaNK++uCdOM=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
@@ -278,7 +284,6 @@ github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpE
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -414,6 +419,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
 golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
diff --git a/model/sca_auth_casbin_rule.go b/model/sca_auth_casbin_rule.go
index 9b62759..e6dea26 100644
--- a/model/sca_auth_casbin_rule.go
+++ b/model/sca_auth_casbin_rule.go
@@ -1,9 +1,9 @@
 package model
 
-const ScaAuthCasbinRuleTableName = "sca_auth_casbin_rule"
+const ScaAuthPermissionRuleTableName = "sca_auth_permission_rule"
 
-// ScaAuthCasbinRule 角色/权限/用户关系表
-type ScaAuthCasbinRule struct {
+// ScaAuthPermissionRule 角色/权限/用户关系表
+type ScaAuthPermissionRule struct {
 	Id    uint64 `gorm:"column:id;type:bigint(20) unsigned;primary_key;AUTO_INCREMENT" json:"id"`
 	Ptype string `gorm:"column:ptype;type:varchar(100)" json:"ptype"`
 	V0    string `gorm:"column:v0;type:varchar(100)" json:"v0"`
@@ -14,6 +14,6 @@ type ScaAuthCasbinRule struct {
 	V5    string `gorm:"column:v5;type:varchar(100)" json:"v5"`
 }
 
-func (m *ScaAuthCasbinRule) TableName() string {
-	return ScaAuthCasbinRuleTableName
+func (m *ScaAuthPermissionRule) TableName() string {
+	return ScaAuthPermissionRuleTableName
 }
diff --git a/model/sca_comment_likes.go b/model/sca_comment_likes.go
index 8a42922..de61592 100644
--- a/model/sca_comment_likes.go
+++ b/model/sca_comment_likes.go
@@ -1,6 +1,8 @@
 package model
 
-import "time"
+import (
+	"time"
+)
 
 const ScaCommentLikesTableName = "sca_comment_likes"
 
diff --git a/utils/xss_filter.go b/utils/xss_filter.go
new file mode 100644
index 0000000..dc81538
--- /dev/null
+++ b/utils/xss_filter.go
@@ -0,0 +1,11 @@
+package utils
+
+import "github.com/microcosm-cc/bluemonday"
+
+// XssFilter Xss 过滤器
+func XssFilter(str string) string {
+	p := bluemonday.NewPolicy()
+	p.AllowElements("br", "img")
+	p.AllowAttrs("style", "src", "alt", "width", "height", "loading").OnElements("img")
+	return p.Sanitize(str)
+}