From 2765dd8fd9bcd072033070125aeb197b5233db64 Mon Sep 17 00:00:00 2001
From: paulGao <paulgao0831@gmail.com>
Date: Tue, 16 Nov 2021 16:55:58 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E8=8E=B7=E5=8F=96=E5=94=AE?=
 =?UTF-8?q?=E5=90=8E=E4=BF=A1=E6=81=AF=E6=97=A0=E6=9D=83=E9=99=90=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98=EF=BC=8C=E4=BF=AE=E5=A4=8Dxss=E5=BF=BD=E7=95=A5?=
 =?UTF-8?q?=E8=BF=87=E6=BB=A4=E8=BD=AC=E4=B9=89=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../cn/lili/controller/trade/AfterSaleBuyerController.java    | 3 +--
 .../common/security/filter/XssHttpServletRequestWrapper.java  | 4 ++--
 .../modules/order/order/serviceimpl/AfterSaleServiceImpl.java | 2 +-
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java b/buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java
index 46539670..d6cb030f 100644
--- a/buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java
+++ b/buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java
@@ -74,8 +74,7 @@ public class AfterSaleBuyerController {
     })
     @GetMapping(value = "/applyAfterSaleInfo/{sn}")
     public ResultMessage<AfterSaleApplyVO> applyAfterSaleInfo(@PathVariable String sn) {
-        AfterSaleApplyVO afterSaleApplyVO = OperationalJudgment.judgment(afterSaleService.getAfterSaleVO(sn));
-        return ResultUtil.data(afterSaleApplyVO);
+        return ResultUtil.data(afterSaleService.getAfterSaleVO(sn));
     }
 
     @PostMapping(value = "/save/{orderItemSn}")
diff --git a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
index 013ebba1..79ae65c2 100644
--- a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
@@ -29,7 +29,7 @@ import java.util.Map;
  */
 public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
 
-    private static final String[] ignoreField = {"logo", "url", "photo", "intro", "content", "name"};
+    private static final String[] ignoreField = {"logo", "url", "photo", "intro", "content", "name", "image"};
 
     public XssHttpServletRequestWrapper(HttpServletRequest request) {
         super(request);
@@ -229,7 +229,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
     private String filterXss(String name, String value) {
         if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), ignoreField)) {
             // 忽略的处理，（过滤敏感字符）
-            return HtmlUtil.filter(value);
+            return HtmlUtil.unescape(HtmlUtil.filter(value));
         } else {
             return cleanXSS(value);
         }
diff --git a/framework/src/main/java/cn/lili/modules/order/order/serviceimpl/AfterSaleServiceImpl.java b/framework/src/main/java/cn/lili/modules/order/order/serviceimpl/AfterSaleServiceImpl.java
index 8db3717c..c8c86a29 100644
--- a/framework/src/main/java/cn/lili/modules/order/order/serviceimpl/AfterSaleServiceImpl.java
+++ b/framework/src/main/java/cn/lili/modules/order/order/serviceimpl/AfterSaleServiceImpl.java
@@ -136,7 +136,7 @@ public class AfterSaleServiceImpl extends ServiceImpl<AfterSaleMapper, AfterSale
         }
 
         //获取售后类型
-        Order order = orderService.getBySn(orderItem.getOrderSn());
+        Order order = OperationalJudgment.judgment(orderService.getBySn(orderItem.getOrderSn()));
 
         //订单未支付，不能申请申请售后
         if (order.getPaymentMethod() == null) {