From 16d8b71e21dc7298b30f46bf264cd9b3589a6978 Mon Sep 17 00:00:00 2001
From: who's hu <hup_dev@outlook.com>
Date: 星期二, 22 八月 2023 17:25:19 +0800
Subject: [PATCH] update ruoyi-ui/src/permission.js. 由于重定向url存在 http://xxx.xx.xxx/{id}?param={a}&name={b} 的场景, 当未登录访问时, 通过改js封装登录后重定向参数, 会丢失?后的query params 如: 访问 http://localhost:1024/core/doc/doc?id=1683734914907807745&version=31 期望 http://localhost:1024/login?redirect=%2Fcore%2Fdoc%2Fdoc%3Fid%3D1683734914907807745%26version%3D31 实际通过 to.fullPath 封装后 获得 http://localhost:1024/login?redirect=%2Fcore%2Fdoc%2Fdoc%3Fid%3D1683734914907807745&version=31
---
ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java | 34 ++++++----------------------------
1 files changed, 6 insertions(+), 28 deletions(-)
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java b/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java
index 1495412..23a76fe 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java
@@ -3,8 +3,6 @@
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
@@ -14,6 +12,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.ruoyi.common.utils.StringUtils;
+import com.ruoyi.common.enums.HttpMethod;
/**
* 防止XSS攻击的过滤器
@@ -27,16 +26,10 @@
*/
public List<String> excludes = new ArrayList<>();
- /**
- * xss过滤开关
- */
- public boolean enabled = false;
-
@Override
public void init(FilterConfig filterConfig) throws ServletException
{
String tempExcludes = filterConfig.getInitParameter("excludes");
- String tempEnabled = filterConfig.getInitParameter("enabled");
if (StringUtils.isNotEmpty(tempExcludes))
{
String[] url = tempExcludes.split(",");
@@ -44,10 +37,6 @@
{
excludes.add(url[i]);
}
- }
- if (StringUtils.isNotEmpty(tempEnabled))
- {
- enabled = Boolean.valueOf(tempEnabled);
}
}
@@ -68,25 +57,14 @@
private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response)
{
- if (!enabled)
+ String url = request.getServletPath();
+ String method = request.getMethod();
+ // GET DELETE 不过滤
+ if (method == null || HttpMethod.GET.matches(method) || HttpMethod.DELETE.matches(method))
{
return true;
}
- if (excludes == null || excludes.isEmpty())
- {
- return false;
- }
- String url = request.getServletPath();
- for (String pattern : excludes)
- {
- Pattern p = Pattern.compile("^" + pattern);
- Matcher m = p.matcher(url);
- if (m.find())
- {
- return true;
- }
- }
- return false;
+ return StringUtils.matches(url, excludes);
}
@Override
--
Gitblit v1.9.2