From 87031a099517d929d8639032a16084031f7903e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=96=AF=E7=8B=82=E7=9A=84=E7=8B=AE=E5=AD=90Li?=
 <15040126243@163.com>
Date: Mon, 21 Oct 2024 14:01:34 +0800
Subject: [PATCH] =?UTF-8?q?fix=20=E4=BF=AE=E5=A4=8D=20xss=E8=BF=87?=
 =?UTF-8?q?=E6=BB=A4=E5=99=A8=20=E6=9C=AA=E8=BF=87=E6=BB=A4url=E5=8F=82?=
 =?UTF-8?q?=E6=95=B0=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../filter/XssHttpServletRequestWrapper.java  | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssHttpServletRequestWrapper.java b/ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssHttpServletRequestWrapper.java
index b32b0359..80e4886a 100644
--- a/ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssHttpServletRequestWrapper.java
+++ b/ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssHttpServletRequestWrapper.java
@@ -14,6 +14,7 @@ import org.springframework.http.MediaType;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.util.Map;
 
 /**
  * XSS过滤处理
@@ -28,6 +29,33 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
         super(request);
     }
 
+    @Override
+    public String getParameter(String name) {
+        String value = super.getParameter(name);
+        if (value != null) {
+            return HtmlUtil.cleanHtmlTag(value).trim();
+        }
+        return value;
+    }
+
+    @Override
+    public Map<String, String[]> getParameterMap() {
+        Map<String, String[]> valueMap = super.getParameterMap();
+        for (Map.Entry<String, String[]> entry : valueMap.entrySet()) {
+            String[] values = entry.getValue();
+            if (values != null) {
+                int length = values.length;
+                String[] escapseValues = new String[length];
+                for (int i = 0; i < length; i++) {
+                    // 防xss攻击和过滤前后空格
+                    escapseValues[i] = HtmlUtil.cleanHtmlTag(values[i]).trim();
+                }
+                valueMap.put(entry.getKey(), escapseValues);
+            }
+        }
+        return valueMap;
+    }
+
     @Override
     public String[] getParameterValues(String name) {
         String[] values = super.getParameterValues(name);
@@ -40,7 +68,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
             }
             return escapseValues;
         }
-        return super.getParameterValues(name);
+        return values;
     }
 
     @Override