caojiahao/dev_caojiahao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修复获取售后信息无权限问题,修复xss忽略过滤转义问题

Browse Source
This commit is contained in:
paulGao 2021-11-16 16:55:58 +08:00
parent e218738fda
commit 2765dd8fd9
3 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java
View File

@ -74,8 +74,7 @@ public class AfterSaleBuyerController {
}) })
@GetMapping(value = "/applyAfterSaleInfo/{sn}") @GetMapping(value = "/applyAfterSaleInfo/{sn}")
public ResultMessage<AfterSaleApplyVO> applyAfterSaleInfo(@PathVariable String sn) { public ResultMessage<AfterSaleApplyVO> applyAfterSaleInfo(@PathVariable String sn) {
AfterSaleApplyVO afterSaleApplyVO = OperationalJudgment.judgment(afterSaleService.getAfterSaleVO(sn)); return ResultUtil.data(afterSaleService.getAfterSaleVO(sn));
return ResultUtil.data(afterSaleApplyVO);
} }
@PostMapping(value = "/save/{orderItemSn}") @PostMapping(value = "/save/{orderItemSn}")

4
framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
View File

@ -29,7 +29,7 @@ import java.util.Map;
*/ */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private static final String[] ignoreField = {"logo", "url", "photo", "intro", "content", "name"}; private static final String[] ignoreField = {"logo", "url", "photo", "intro", "content", "name", "image"};
public XssHttpServletRequestWrapper(HttpServletRequest request) { public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request); super(request);
@ -229,7 +229,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private String filterXss(String name, String value) { private String filterXss(String name, String value) {
if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), ignoreField)) { if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), ignoreField)) {
// 忽略的处理过滤敏感字符 // 忽略的处理过滤敏感字符
return HtmlUtil.filter(value); return HtmlUtil.unescape(HtmlUtil.filter(value));
} else { } else {
return cleanXSS(value); return cleanXSS(value);
} }

2
framework/src/main/java/cn/lili/modules/order/order/serviceimpl/AfterSaleServiceImpl.java
View File

@ -136,7 +136,7 @@ public class AfterSaleServiceImpl extends ServiceImpl<AfterSaleMapper, AfterSale
} }
//获取售后类型 //获取售后类型
Order order = orderService.getBySn(orderItem.getOrderSn()); Order order = OperationalJudgment.judgment(orderService.getBySn(orderItem.getOrderSn()));
//订单未支付不能申请申请售后 //订单未支付不能申请申请售后
if (order.getPaymentMethod() == null) { if (order.getPaymentMethod() == null) {