From 165ffd4ef4886f4be9b59f76e9b85b9c6c1cdab5 Mon Sep 17 00:00:00 2001 From: zch Date: Wed, 22 Apr 2026 11:22:11 +0800 Subject: [PATCH] =?UTF-8?q?change(XssHttpServletRequestWrapper):=20?= =?UTF-8?q?=E7=A7=BB=E9=99=A4=20JSON=20=E8=AF=B7=E6=B1=82=E4=BD=93?= =?UTF-8?q?=E7=9A=84=20XSS=20=E8=BF=87=E6=BB=A4=E9=80=BB=E8=BE=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../common/filter/XssHttpServletRequestWrapper.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssHttpServletRequestWrapper.java b/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssHttpServletRequestWrapper.java index bf7837b..630e6aa 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssHttpServletRequestWrapper.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssHttpServletRequestWrapper.java @@ -54,15 +54,16 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper return super.getInputStream(); } - // 为空,直接返回 + // 这里只做“是否为空”的探测,不再对整段 JSON 做 clean。 + // 原因:门户页面配置里存在“JSON 字符串中再嵌 HTML 富文本”的场景, + // 如果对整个请求体统一转义,会把引号、标签、转义符一起改坏,最终导致 @RequestBody 反序列化失败。 String json = IOUtils.toString(super.getInputStream(), "utf-8"); if (StringUtils.isEmpty(json)) { return super.getInputStream(); } - // xss过滤 - json = EscapeUtil.clean(json).trim(); + // JSON 请求体保持原样透传,字段级过滤应交给具体业务校验或展示侧转义处理。 byte[] jsonBytes = json.getBytes("utf-8"); final ByteArrayInputStream bis = new ByteArrayInputStream(jsonBytes); return new ServletInputStream() @@ -108,4 +109,4 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper String header = super.getHeader(HttpHeaders.CONTENT_TYPE); return StringUtils.startsWithIgnoreCase(header, MediaType.APPLICATION_JSON_VALUE); } -} \ No newline at end of file +}