From af0e0a110e7187bf008655f7510199a0c0b25ec4 Mon Sep 17 00:00:00 2001
From: Nymph2333 <498092988@qq.com>
Date: 星期一, 10 四月 2023 14:27:40 +0800
Subject: [PATCH] newInstance() 已弃用,使用clazz.getDeclaredConstructor().newInstance() This method propagates any exception thrown by the nullary constructor, including a checked exception. Use of this method effectively bypasses the compile-time exception checking that would otherwise be performed by the compiler. The Constructor.newInstance method avoids this problem by wrapping any exception thrown by the constructor in a (checked) InvocationTargetException. The call clazz.newInstance() can be replaced by clazz.getDeclaredConstructor().newInstance() The latter sequence of calls is inferred to be able to throw the additional exception types InvocationTargetException and NoSuchMethodException. Both of these exception types are subclasses of ReflectiveOperationException.
---
ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java | 34 ++++++----------------------------
1 files changed, 6 insertions(+), 28 deletions(-)
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java b/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java
index 1495412..23a76fe 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java
@@ -3,8 +3,6 @@
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
@@ -14,6 +12,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.ruoyi.common.utils.StringUtils;
+import com.ruoyi.common.enums.HttpMethod;
/**
* 防止XSS攻击的过滤器
@@ -27,16 +26,10 @@
*/
public List<String> excludes = new ArrayList<>();
- /**
- * xss过滤开关
- */
- public boolean enabled = false;
-
@Override
public void init(FilterConfig filterConfig) throws ServletException
{
String tempExcludes = filterConfig.getInitParameter("excludes");
- String tempEnabled = filterConfig.getInitParameter("enabled");
if (StringUtils.isNotEmpty(tempExcludes))
{
String[] url = tempExcludes.split(",");
@@ -44,10 +37,6 @@
{
excludes.add(url[i]);
}
- }
- if (StringUtils.isNotEmpty(tempEnabled))
- {
- enabled = Boolean.valueOf(tempEnabled);
}
}
@@ -68,25 +57,14 @@
private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response)
{
- if (!enabled)
+ String url = request.getServletPath();
+ String method = request.getMethod();
+ // GET DELETE 不过滤
+ if (method == null || HttpMethod.GET.matches(method) || HttpMethod.DELETE.matches(method))
{
return true;
}
- if (excludes == null || excludes.isEmpty())
- {
- return false;
- }
- String url = request.getServletPath();
- for (String pattern : excludes)
- {
- Pattern p = Pattern.compile("^" + pattern);
- Matcher m = p.matcher(url);
- if (m.find())
- {
- return true;
- }
- }
- return false;
+ return StringUtils.matches(url, excludes);
}
@Override
--
Gitblit v1.9.2