package xyz.shodown.common.util.io;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import xyz.shodown.common.consts.LogCategory;
import xyz.shodown.common.consts.Symbols;
import xyz.shodown.common.util.basic.StringUtil;

/* loaded from: input_file:xyz/shodown/common/util/io/XssUtil.class */
public class XssUtil {
    private static final Logger log = LoggerFactory.getLogger(LogCategory.PLATFORM);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:xyz/shodown/common/util/io/XssUtil$SqlIllegalWords.class */
    public static class SqlIllegalWords {
        private static final String KEY = "and|exec|execute|insert|where|sleep|like|select|delete|update|count|*|%|chr|mid|create|master|truncate|char|declare|;|or|//|/|-|--|+";
        private static final Set<String> NOT_ALLOWED_KEYWORDS = new HashSet(0);
        private static final String INVALID = "INVALID_";

        private SqlIllegalWords() {
        }

        static {
            NOT_ALLOWED_KEYWORDS.addAll(Arrays.asList(KEY.split("\\|")));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:xyz/shodown/common/util/io/XssUtil$XssIllegalPattern.class */
    public static class XssIllegalPattern {
        private static final Pattern SCRIPT_PATTERN = Pattern.compile("<script>(\\s*.*?)</script>", 2);
        private static final Pattern SCRIPT_PATTERN_END = Pattern.compile("</script(\\s*.*?)>", 2);
        private static final Pattern SCRIPT_PATTERN_START = Pattern.compile("<script(\\s*.*?)>", 42);
        private static final Pattern EVAL_PATTERN = Pattern.compile("eval\\((.*?)\\)", 42);
        private static final Pattern EXPRESSION_PATTERN = Pattern.compile("e\u00adxpression\\((.*?)\\)", 42);
        private static final Pattern JAVASCRIPT_PATTERN = Pattern.compile("javascript:", 2);
        private static final Pattern VB_SCRIPT_PATTERN = Pattern.compile("vbscript:", 2);
        private static final Pattern ONLOAD_PATTERN = Pattern.compile("onload(.*?)=", 42);
        private static final Pattern OTHER_PATTERN = Pattern.compile("<+.*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+.*=+", 42);
        private static final List<Pattern> PATTERNS = new ArrayList();

        private XssIllegalPattern() {
        }

        static {
            PATTERNS.add(SCRIPT_PATTERN);
            PATTERNS.add(SCRIPT_PATTERN_END);
            PATTERNS.add(SCRIPT_PATTERN_START);
            PATTERNS.add(EVAL_PATTERN);
            PATTERNS.add(EXPRESSION_PATTERN);
            PATTERNS.add(JAVASCRIPT_PATTERN);
            PATTERNS.add(VB_SCRIPT_PATTERN);
            PATTERNS.add(ONLOAD_PATTERN);
            PATTERNS.add(OTHER_PATTERN);
        }
    }

    public static boolean cleanSqlKeyWords(String str) {
        if (StringUtil.isEmpty(str)) {
            return false;
        }
        for (String str2 : SqlIllegalWords.NOT_ALLOWED_KEYWORDS) {
            if (str.length() > str2.length() + 2 && (StringUtil.containsIgnoreCase(str, new StringBuilder().append(Symbols.SPACE).append(str2).toString()) || StringUtil.containsIgnoreCase(str, new StringBuilder().append(str2).append(Symbols.SPACE).toString()) || StringUtil.containsIgnoreCase(str, new StringBuilder().append(Symbols.SPACE).append(str2).append(Symbols.SPACE).toString()))) {
                log.error("sql已过滤，因为参数中包含不允许sql的关键词(" + str2 + ");参数：" + str + ";过滤后的参数：" + StringUtil.replaceIgnoreCase(str, str2, "INVALID_"));
                return true;
            }
        }
        return false;
    }

    public static boolean cleanXss(String str) {
        if (!StringUtil.isNotEmpty(str)) {
            return false;
        }
        StringBuilder sb = new StringBuilder();
        Iterator it = XssIllegalPattern.PATTERNS.iterator();
        while (it.hasNext()) {
            str = ((Pattern) it.next()).matcher(str).replaceAll(Symbols.MINUS);
        }
        if (str.equals(str)) {
            return false;
        }
        log.error("xss已被过滤,请求包含不允许的非法内容(" + sb.toString() + "),内容:" + str + "过滤后的内容:" + str);
        return true;
    }

    public static boolean cleanXssAndSqlIllegals(String str) {
        boolean cleanXss = cleanXss(str);
        if (!cleanXss) {
            cleanXss = cleanSqlKeyWords(str);
        }
        return cleanXss;
    }
}
