我看了下网站全局的xss过滤规则代码是

com.mtons.mblog.web.formatter.StringEscapeEditor 41->87行

public void setAsText(String text) throws IllegalArgumentException {
        if (text == null) {
            setValue(null);
        } else {
            String value = text;

            // Avoid anything between script tags
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid anything in a src='...' type of expression
//            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
//            value = scriptPattern.matcher(value).replaceAll("");
//
//            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
//            value = scriptPattern.matcher(value).replaceAll("");

            // Remove any lonesome </script> tag
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Remove any lonesome <script ...> tag
            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid eval(...) expressions
            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid expression(...) expressions
            scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid javascript:... expressions
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid vbscript:... expressions
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid onload= expressions
            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            setValue(value);
        }
    }

1.过滤规则的标签和事件太少了如: <img src="x" onerror="alert('xss01')">
2.这样替换可以被绕过如:javascripjavascript:t:alert('xss02');

我以发文章为例.

点击这个xss02

文章搜索处
http://1.cc:8080/search?kw=okok11111<img src="x" onerror="alert('xss')">

修改昵称地方,前端限制了输入长度

手动修改下maxlength=100

修复建议:
1.把html标签过滤成html实体
2.markdown url那里要验证url是以http开始的.

不想多人来注册，又想朋友进来发布写内容，停掉注册接口后，就没办法添加新用户了。

服务器配置https://域名/oauth/callback/call_weibo
地址配置的是我自己的本地测试http://localhost:9000/oauth/callback/call_weibo
都是失败的：

登入界面也没出现QQ登入图标：

代码里面有找到方法：

本地断点也没来的这里， 控制台也没错误日志 ，请问这个功能怎么开启？我的版本是3.5.0

使用markdown写数学公式，但是效果不好。参看简书里的文章https://www.jianshu.com/p/6566f7eab7d5依然没有解决问题。请高手帮忙。

这样的话可以自己扩展一些功能什么的，没有一个清晰的项目结构，无从下手。

给用户A分配文章管理，但是没有分配编辑文章角色，用户A可以编辑文章

Vulnerability description
Test version: 3.5.0
Latest version: 3.5.0
Vulnerability profile:
The security component of Shiro 1.4.0 is used in mbog, which leads to privilege bypass. The attacker can bypass the privilege to upload files and finally execute commands.
The utilization process is as follows:

1. Construct malicious compressed package file“ evil.zip ”, which contains an FTL file, as shown in the figure below:

2. In unauthorized state, send multipart request to the following URL to upload malicious compressed package file
   http://192.168.83.3/admin/theme/upload/
   Or:
   http://192.168.83.3/dist/..;/admin/theme/upload
3. Visit the following URL to start the template just uploaded,
   If the uploaded package name is: ssr.zip , the URL below needs to be changed to theme = SSR
   http://192.168.83.3/admin/theme/active/?theme=evil
   Or:
   http://192.168.83.3/dist/..;/admin/theme/active ?theme= evil
4. When the browser accesses index, you can see that the command in FTL has been executed successfully

code analysis
Step 1:
upload file code:
http://192.168.83.3/admin/theme/upload
In mblog version 4.0, Shiro version 1.4.0 is used. There are loopholes in privilege bypass and pandering oracle. You only need to use privilege to bypass the loopholes

Template management controller

src/main/java/com/mtons/mblog/web/controller/admin/ ThemeController.java

There are two types of requestmapping: upload template and enable template
In the upload method, receive the zip file uploaded by the user, judge the suffix, and pass the multipart file into the BlogUtils.uploadTheme () method

BlogUtils.uploadTheme In the () method, get the site.location Properties（ user.dir ）, mbog is a springboot application, which runs in a single jar. The following code obtains the current location, creates the / storage / templates directory under the current location, stores the user's uploaded zip file in this directory, and then creates a folder with the same name as the compressed package to store the files in the compressed package

Step 2:
enable the template code
http://192.168.83.3/admin/theme/active/?theme=evil
The corresponding controller file is in:
src/main/java/com/mtons/mblog/web/controller/admin/ ThemeController.java
The update method encapsulates the parameters in the request as a map and passes them into the optionsService.update () method
Later, it calls the contextStartup.reloadOptions (false) method

optionsService.update The () method implementation classes are as follows:
src/main/java/com/mtons/mblog/modules/service/impl/ OptionsServiceImpl.java
According to the key in the request parameter, the optionsRepository.findByKey In the () method, the optionsrepository object is the query object of spring data JPA. It has only interface but no specific implementation. It can be directly regarded as Dao layer code
Request parameter? Theme = evil,
Key corresponds to theme and value corresponds to evil
From the data table, according to the theme query, the value is assigned
Then execute optionsRepository.save () to update

stay contextStartup.reloadOptions (false) method
List options = optionsService.findAll (); find all the key and value in the database and encapsulate them into map objects, including the theme = evil passed just now

After fetching the theme attribute from the database, modify the system attribute. At this time, the preparatory work is completed. You only need to request the index page again to let the server load the malicious template index.ftl To trigger command execution

Vulnerability submission information
author：说书人
mail：[email protected]

数据库的表结构需要自己建吗

隐藏某个分类后，在最新发布下面，还能看到分类下的文章

打包成war包后 http://127.0.0.1:8080/blog

nginx 反向代理 css加载和生成链接都为404

location / {
            proxy_pass http://127.0.0.1:8080/blog/;
	    	proxy_set_header   Host    $host;
            proxy_set_header   Remote_Addr    $remote_addr;
            proxy_set_header   X-Real-IP    $remote_addr;
            proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
        }

请教下，为什么每次部署会清空数据库呢？

这是application-mysql.yml 的配置
spring:
datasource:
#schema: classpath*:scripts/schema.sql
#continue-on-error: false
#sql-script-encoding: utf-8
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://172.30.112.148:3306/db_mblog?serverTimezone=GMT&useSSL=false
username: root
password: 123456
flyway:
enabled: true
jpa:
database: mysql
show-sql: false
hibernate:
ddl-auto: create // [这里用update也试过 同样报错]
database-platform: org.hibernate.dialect.MySQL5InnoDBDialect //这里是添加的方言问题
properties:
hibernate:
dialect : org.hibernate.dialect.MySQL5Dialect
format_sql: true
naming.physical-strategy: org.hibernate.scripts.model.naming.PhysicalNamingStrategyStandardImpl
cache.use_second_level_cache: false
default.directory_provider: filesystem
search.default.indexBase: ${site.location}/storage/indexes

目前报错的原因是 无法创建mysql表 但是不知道具体问题

org.hibernate.tool.schema.spi.CommandAcceptanceException: Error executing DDL "create index IK_POST_ID on mto_post_resource (post_id)" via JDBC Statement
at org.hibernate.tool.schema.internal.exec.GenerationTargetToDatabase.accept(GenerationTargetToDatabase.java:67) ~[hibernate-core-5.3.7.Final.jar:5.3.7.Final]
at org.hibernate.tool.schema.internal.SchemaCreatorImpl.applySqlString(SchemaCreatorImpl.java:440) [hibernate-core-5.3.7.Final.jar:5.3.7.Final]
at org.hibernate.tool.schema.internal.SchemaCreatorImpl.applySqlStrings(SchemaCreatorImpl.java:424) [hibernate-core-5.3.7.Final.jar:5.3.7.Final]

还请赐教 谢谢了~~~

系统设置里面对接七牛云配置完成后，上传图片是上传到七牛云的。
正确的访问路径路径是:http://qcfqz7dmz.bkt.clouddn.com/blog/9ce122ea2384ed8dc04abb44900a54f4.PNG
实际的访问路径：http://139.196.163.59:8090/post/qcfqz7dmz.bkt.clouddn.com/blog/9ce122ea2384ed8dc04abb44900a54f4.PNG
会多出来我们本项目的ip+端口号。是因为自己设置错误了？

就是 * 列表支持不好 预览能看到 但是文章打开看不到

在就是能不能支持TOC 支持目录

bug反馈：1.在博客被修改后，标签依旧存在
2.修改后的博客发布时间为未进行改变

could not execute statement; nested exception is org.hibernate.exception.GenericJDBCException: could not execute statement

docker 启动后无法访问，本地测试没有任何反应

如何查看日志呀

related to post views there's fake increment to any articles

The article was deleted, but the comments were not automatically deleted.

打包成war包后 http://127.0.0.1:8080/blog

nginx 反向代理 css加载和生成链接都为404

location / {
            proxy_pass http://127.0.0.1:8080/blog/;
	    	proxy_set_header   Host    $host;
            proxy_set_header   Remote_Addr    $remote_addr;
            proxy_set_header   X-Real-IP    $remote_addr;
            proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
        }

博客栏目中，首页轮播图为何不显示呢，需要怎么配置呢

There is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load.
Once the administrator clicks a malicious link, the article will be deleted.
[Vulnerability Type]
Cross-site request forgery (csrf)
[Vendor of Product]
https://github.com/langhsu/mblog
[Affected Component]
GET /admin/post/delete?id=6 HTTP/1.1
Host: 127.0.0.1:8082
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8082/admin/post/list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_acc69acbc4e6d4c69ecf77725d072490=1628653260; Hm_lvt_cd8218cd51f800ed2b73e5751cb3f4f9=1629356854,1629356969; Hm_lvt_1040d081eea13b44d84a4af639640d51=1629787797; UM_distinctid=17b76ec38b042b-043bd40aca20f-3373266-e1000-17b76ec38b13f6; CNZZDATA1255091723=1621369374-1629783007-http%253A%252F%252F127.0.0.1%253A8080%252F%7C1629783007; JSESSIONID=BcGdm-4poQD-nImmtzQx_gevDCZGrfxbmnirm5hb
Connection: close
[Attack Type]
Remote

[Impact Code execution]
true
POC:

A xss vulnerability was discovered in mblog.
In mblog3.5, stored XSS exists via the /post/editing value parameter, which allows remote attackers to inject arbitrary web script or HTML.
poc

xss payload:
<img src=x onerror=alert(1)>

Another stored XSS exists via the /settings/profile value parameter, which allows remote attackers to inject arbitrary web script or HTML.

poc

xss payload:
<img src=x onerror=alert(1)>

编辑器插入代码后，无法获取输入焦点继续输入文字

写文章不支持预览

文章详情没有把Markdown渲染成html

比如，新增用户A，赋予进入后台的权利，A可以通过仪表盘点击栏目或者文章，进行删除或者修改