diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssHttpServletRequestWrapper.java b/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssHttpServletRequestWrapper.java index bf7837b..630e6aa 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssHttpServletRequestWrapper.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssHttpServletRequestWrapper.java @@ -54,15 +54,16 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper return super.getInputStream(); } - // 为空,直接返回 + // 这里只做“是否为空”的探测,不再对整段 JSON 做 clean。 + // 原因:门户页面配置里存在“JSON 字符串中再嵌 HTML 富文本”的场景, + // 如果对整个请求体统一转义,会把引号、标签、转义符一起改坏,最终导致 @RequestBody 反序列化失败。 String json = IOUtils.toString(super.getInputStream(), "utf-8"); if (StringUtils.isEmpty(json)) { return super.getInputStream(); } - // xss过滤 - json = EscapeUtil.clean(json).trim(); + // JSON 请求体保持原样透传,字段级过滤应交给具体业务校验或展示侧转义处理。 byte[] jsonBytes = json.getBytes("utf-8"); final ByteArrayInputStream bis = new ByteArrayInputStream(jsonBytes); return new ServletInputStream() @@ -108,4 +109,4 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper String header = super.getHeader(HttpHeaders.CONTENT_TYPE); return StringUtils.startsWithIgnoreCase(header, MediaType.APPLICATION_JSON_VALUE); } -} \ No newline at end of file +}