From 060147f1a3077193088beab857be5cc86b9bc5c4 Mon Sep 17 00:00:00 2001 From: mikekks Date: Sat, 4 May 2024 17:36:39 +0900 Subject: [PATCH] =?UTF-8?q?[FIX]=20xss=20=ED=95=84=ED=84=B0=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../meeteam/global/util/HtmlCharacterEscapes.java | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/main/java/synk/meeteam/global/util/HtmlCharacterEscapes.java b/src/main/java/synk/meeteam/global/util/HtmlCharacterEscapes.java index 9e0221ec..aecfbf7e 100644 --- a/src/main/java/synk/meeteam/global/util/HtmlCharacterEscapes.java +++ b/src/main/java/synk/meeteam/global/util/HtmlCharacterEscapes.java @@ -3,8 +3,10 @@ import com.fasterxml.jackson.core.SerializableString; import com.fasterxml.jackson.core.io.CharacterEscapes; import com.fasterxml.jackson.core.io.SerializedString; +import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringEscapeUtils; +@Slf4j public class HtmlCharacterEscapes extends CharacterEscapes { private final int[] asciiEscapes; @@ -28,6 +30,14 @@ public int[] getEscapeCodesForAscii() { @Override public SerializableString getEscapeSequence(int ch) { - return new SerializedString(StringEscapeUtils.escapeHtml4(Character.toString((char) ch))); + char charAt = (char) ch; + if (Character.isHighSurrogate(charAt) || Character.isLowSurrogate(charAt)) { + StringBuilder sb = new StringBuilder(); + sb.append("\\u"); + sb.append(String.format("%04x", ch)); + return new SerializedString(sb.toString()); + } else { + return new SerializedString(StringEscapeUtils.escapeHtml4(Character.toString(charAt))); + } } }