RuoYi преди 6 години
родител
ревизия
e8eaeadbb0
променени са 2 файла, в които са добавени 20 реда и са изтрити 5 реда
  1. 18 4
      src/main/java/com/ruoyi/common/xss/XssFilter.java
  2. 2 1
      src/main/java/com/ruoyi/framework/config/FilterConfig.java

+ 18 - 4
src/main/java/com/ruoyi/common/xss/XssFilter.java

@@ -14,6 +14,7 @@ import javax.servlet.ServletResponse;
 import javax.servlet.annotation.WebFilter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import com.ruoyi.common.utils.StringUtils;
 
 /**
  * 防止XSS攻击的过滤器
@@ -23,24 +24,33 @@ import javax.servlet.http.HttpServletResponse;
 @WebFilter(filterName = "xssFilter", urlPatterns = "/system/*")
 public class XssFilter implements Filter
 {
-
     /**
      * 排除链接
      */
     public List<String> excludes = new ArrayList<>();
 
+    /**
+     * xss过滤开关
+     */
+    public boolean xssEbabled = false;
+
     @Override
     public void init(FilterConfig filterConfig) throws ServletException
     {
-        String temp = filterConfig.getInitParameter("excludes");
-        if (temp != null)
+        String tempExcludes = filterConfig.getInitParameter("excludes");
+        String tempXssEbabled = filterConfig.getInitParameter("xssEbabled");
+        if (tempExcludes != null)
         {
-            String[] url = temp.split(",");
+            String[] url = tempExcludes.split(",");
             for (int i = 0; url != null && i < url.length; i++)
             {
                 excludes.add(url[i]);
             }
         }
+        if (StringUtils.isNotEmpty(tempXssEbabled))
+        {
+            xssEbabled = Boolean.valueOf(tempXssEbabled);
+        }
     }
 
     @Override
@@ -64,6 +74,10 @@ public class XssFilter implements Filter
         {
             return false;
         }
+        if (!xssEbabled)
+        {
+            return true;
+        }
         String url = request.getServletPath();
         for (String pattern : excludes)
         {

+ 2 - 1
src/main/java/com/ruoyi/framework/config/FilterConfig.java

@@ -27,7 +27,8 @@ public class FilterConfig
         registration.setName("xssFilter");
         registration.setOrder(Integer.MAX_VALUE);
         Map<String, String> initParameters = Maps.newHashMap();
-        initParameters.put("excludes", "/system/notice/*");
+        initParameters.put("excludes", "/system/notice/*,/img/*,/css/*,/fonts/*,/js/*,/ajax/*,/ruoyi/*");
+        initParameters.put("xssEbabled", "false");
         registration.setInitParameters(initParameters);
         return registration;
     }