| src/main/java/com/ruoyi/common/filter/XssFilter.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| src/main/java/com/ruoyi/common/utils/StringUtils.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| src/main/java/com/ruoyi/framework/config/FilterConfig.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| src/main/java/com/ruoyi/project/system/domain/SysUser.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| src/main/resources/application.yml | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 |
src/main/java/com/ruoyi/common/filter/XssFilter.java
@@ -3,8 +3,6 @@ import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; @@ -27,16 +25,10 @@ */ public List<String> excludes = new ArrayList<>(); /** * xss过滤开关 */ public boolean enabled = false; @Override public void init(FilterConfig filterConfig) throws ServletException { String tempExcludes = filterConfig.getInitParameter("excludes"); String tempEnabled = filterConfig.getInitParameter("enabled"); if (StringUtils.isNotEmpty(tempExcludes)) { String[] url = tempExcludes.split(","); @@ -44,10 +36,6 @@ { excludes.add(url[i]); } } if (StringUtils.isNotEmpty(tempEnabled)) { enabled = Boolean.valueOf(tempEnabled); } } @@ -68,25 +56,14 @@ private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) { if (!enabled) String url = request.getServletPath(); String method = request.getMethod(); // GET DELETE 不过滤 if (method == null || method.matches("GET") || method.matches("DELETE")) { return true; } if (excludes == null || excludes.isEmpty()) { return false; } String url = request.getServletPath(); for (String pattern : excludes) { Pattern p = Pattern.compile("^" + pattern); Matcher m = p.matcher(url); if (m.find()) { return true; } } return false; return StringUtils.matches(url, excludes); } @Override src/main/java/com/ruoyi/common/utils/StringUtils.java
@@ -6,6 +6,7 @@ import java.util.List; import java.util.Map; import java.util.Set; import org.springframework.util.AntPathMatcher; import com.ruoyi.common.constant.Constants; import com.ruoyi.common.core.text.StrFormatter; @@ -463,6 +464,45 @@ return sb.toString(); } /** * 查找指定字符串是否匹配指定字符串列表中的任意一个字符串 * * @param str 指定字符串 * @param strs 需要检查的字符串数组 * @return 是否匹配 */ public static boolean matches(String str, List<String> strs) { if (isEmpty(str) || isEmpty(strs)) { return false; } for (String pattern : strs) { if (isMatch(pattern, str)) { return true; } } return false; } /** * 判断url是否与规则配置: * ? 表示单个字符; * * 表示一层路径内的任意字符串,不可跨层级; * ** 表示任意层路径; * * @param pattern 匹配规则 * @param url 需要匹配的url * @return */ public static boolean isMatch(String pattern, String url) { AntPathMatcher matcher = new AntPathMatcher(); return matcher.match(pattern, url); } @SuppressWarnings("unchecked") public static <T> T cast(Object obj) { src/main/java/com/ruoyi/framework/config/FilterConfig.java
@@ -4,6 +4,7 @@ import java.util.Map; import javax.servlet.DispatcherType; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -17,11 +18,9 @@ * @author ruoyi */ @Configuration @ConditionalOnProperty(value = "xss.enabled", havingValue = "true") public class FilterConfig { @Value("${xss.enabled}") private String enabled; @Value("${xss.excludes}") private String excludes; @@ -40,7 +39,6 @@ registration.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE); Map<String, String> initParameters = new HashMap<String, String>(); initParameters.put("excludes", excludes); initParameters.put("enabled", enabled); registration.setInitParameters(initParameters); return registration; } src/main/java/com/ruoyi/project/system/domain/SysUser.java
@@ -58,9 +58,6 @@ /** 密码 */ private String password; /** 盐加密 */ private String salt; /** 帐号状态(0正常 1停用) */ @Excel(name = "帐号状态", readConverterExp = "0=正常,1=停用") private String status; @@ -213,16 +210,6 @@ this.password = password; } public String getSalt() { return salt; } public void setSalt(String salt) { this.salt = salt; } public String getStatus() { return status; @@ -325,7 +312,6 @@ .append("sex", getSex()) .append("avatar", getAvatar()) .append("password", getPassword()) .append("salt", getSalt()) .append("status", getStatus()) .append("delFlag", getDelFlag()) .append("loginIp", getLoginIp()) src/main/resources/application.yml
@@ -115,7 +115,7 @@ # 过滤开关 enabled: true # 排除链接(多个用逗号分隔) excludes: /system/notice/* excludes: /system/notice # 匹配链接 urlPatterns: /system/*,/monitor/*,/tool/*
