修复获取售后信息无权限问题，修复xss忽略过滤转义问题

2021-11-16 16:55:58 +08:00 · 2021-11-16 16:55:58 +08:00 · 2765dd8fd9
commit 2765dd8fd9
parent e218738fda
3 changed files with 4 additions and 5 deletions
--- a/buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java
+++ b/buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java
@ -74,8 +74,7 @@ public class AfterSaleBuyerController {
    })
    @GetMapping(value = "/applyAfterSaleInfo/{sn}")
    public ResultMessage<AfterSaleApplyVO> applyAfterSaleInfo(@PathVariable String sn) {
-        AfterSaleApplyVO afterSaleApplyVO = OperationalJudgment.judgment(afterSaleService.getAfterSaleVO(sn));
-        return ResultUtil.data(afterSaleApplyVO);
+        return ResultUtil.data(afterSaleService.getAfterSaleVO(sn));
    }

    @PostMapping(value = "/save/{orderItemSn}")
--- a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
@ -29,7 +29,7 @@ import java.util.Map;
 */
 public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

-    private static final String[] ignoreField = {"logo", "url", "photo", "intro", "content", "name"};
+    private static final String[] ignoreField = {"logo", "url", "photo", "intro", "content", "name", "image"};

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
@ -229,7 +229,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private String filterXss(String name, String value) {
        if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), ignoreField)) {
            // 忽略的处理，（过滤敏感字符）
-            return HtmlUtil.filter(value);
+            return HtmlUtil.unescape(HtmlUtil.filter(value));
        } else {
            return cleanXSS(value);
        }
--- a/framework/src/main/java/cn/lili/modules/order/order/serviceimpl/AfterSaleServiceImpl.java
+++ b/framework/src/main/java/cn/lili/modules/order/order/serviceimpl/AfterSaleServiceImpl.java
@ -136,7 +136,7 @@ public class AfterSaleServiceImpl extends ServiceImpl<AfterSaleMapper, AfterSale
        }

        //获取售后类型
-        Order order = orderService.getBySn(orderItem.getOrderSn());
+        Order order = OperationalJudgment.judgment(orderService.getBySn(orderItem.getOrderSn()));

        //订单未支付，不能申请申请售后
        if (order.getPaymentMethod() == null) {