!56 修复获取售后信息无权限问题，修复xss忽略过滤转义问题

Merge pull request !56 from OceansDeep/feature/pg
2021-11-16 09:00:39 +00:00 · 2021-11-16 09:00:39 +00:00 · 7d43279b49
commit 7d43279b49
parent 0e7c703dfd a843081663
6 changed files with 11 additions and 12 deletions
--- a/buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java
+++ b/buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java
@ -74,8 +74,7 @@ public class AfterSaleBuyerController {
    })
    @GetMapping(value = "/applyAfterSaleInfo/{sn}")
    public ResultMessage<AfterSaleApplyVO> applyAfterSaleInfo(@PathVariable String sn) {
-        AfterSaleApplyVO afterSaleApplyVO = OperationalJudgment.judgment(afterSaleService.getAfterSaleVO(sn));
+        return ResultUtil.data(afterSaleService.getAfterSaleVO(sn));
        return ResultUtil.data(afterSaleApplyVO);
    }
    @PostMapping(value = "/save/{orderItemSn}")
--- a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
@ -35,7 +35,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
     *
     * @todo 这里的参数应该更智能些，例如iv，前端的参数包含这两个字母就会放过，这是有问题的
     */
-    private static final String[] IGNORE_FIELD = {"logo", "url", "photo", "intro", "content", "name", "encrypted", "iv","mail"};
+    private static final String[] IGNORE_FIELD = {"logo", "url", "photo", "intro", "content", "name", "image", "encrypted", "iv","mail"};
    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
@ -235,7 +235,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private String filterXss(String name, String value) {
        if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), IGNORE_FIELD)) {
            // 忽略的处理，（过滤敏感字符）
-            return HtmlUtil.filter(value);
+            return HtmlUtil.unescape(HtmlUtil.filter(value));
        } else {
            return cleanXSS(value);
        }
--- a/framework/src/main/java/cn/lili/modules/connect/serviceimpl/ConnectServiceImpl.java
+++ b/framework/src/main/java/cn/lili/modules/connect/serviceimpl/ConnectServiceImpl.java
@ -4,16 +4,15 @@ import cn.hutool.json.JSONObject;
 import cn.hutool.json.JSONUtil;
 import cn.lili.cache.Cache;
 import cn.lili.cache.CachePrefix;
 import cn.lili.common.context.ThreadContextHolder;
 import cn.lili.common.enums.ClientTypeEnum;
 import cn.lili.common.enums.ResultCode;
 import cn.lili.common.exception.ServiceException;
 import cn.lili.common.security.AuthUser;
 import cn.lili.common.security.context.UserContext;
 import cn.lili.common.security.token.Token;
 import cn.lili.modules.member.token.MemberTokenGenerate;
 import cn.lili.common.utils.CookieUtil;
 import cn.lili.common.utils.StringUtils;
 import cn.lili.common.context.ThreadContextHolder;
 import cn.lili.common.enums.ClientTypeEnum;
 import cn.lili.modules.connect.entity.Connect;
 import cn.lili.modules.connect.entity.dto.ConnectAuthUser;
 import cn.lili.modules.connect.entity.dto.WechatMPLoginParams;
@ -22,6 +21,7 @@ import cn.lili.modules.connect.mapper.ConnectMapper;
 import cn.lili.modules.connect.service.ConnectService;
 import cn.lili.modules.member.entity.dos.Member;
 import cn.lili.modules.member.service.MemberService;
 import cn.lili.modules.member.token.MemberTokenGenerate;
 import cn.lili.modules.system.entity.dos.Setting;
 import cn.lili.modules.system.entity.dto.connect.WechatConnectSetting;
 import cn.lili.modules.system.entity.dto.connect.dto.WechatConnectSettingItem;
--- a/framework/src/main/java/cn/lili/modules/member/entity/vo/MemberVO.java
+++ b/framework/src/main/java/cn/lili/modules/member/entity/vo/MemberVO.java
@ -3,12 +3,9 @@ package cn.lili.modules.member.entity.vo;
 import cn.lili.common.enums.ClientTypeEnum;
 import cn.lili.common.security.sensitive.Sensitive;
 import cn.lili.common.security.sensitive.enums.SensitiveStrategy;
 import com.baomidou.mybatisplus.annotation.FieldFill;
 import com.baomidou.mybatisplus.annotation.TableField;
 import com.fasterxml.jackson.annotation.JsonFormat;
 import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
 import org.springframework.data.annotation.CreatedDate;
 import org.springframework.format.annotation.DateTimeFormat;
 import java.io.Serializable;
--- a/framework/src/main/java/cn/lili/modules/order/order/serviceimpl/AfterSaleServiceImpl.java
+++ b/framework/src/main/java/cn/lili/modules/order/order/serviceimpl/AfterSaleServiceImpl.java
@ -136,7 +136,7 @@ public class AfterSaleServiceImpl extends ServiceImpl<AfterSaleMapper, AfterSale
        }
        //获取售后类型
-        Order order = orderService.getBySn(orderItem.getOrderSn());
+        Order order = OperationalJudgment.judgment(orderService.getBySn(orderItem.getOrderSn()));
        //订单未支付，不能申请申请售后
        if (order.getPaymentMethod() == null) {
--- a/framework/src/main/java/cn/lili/modules/store/entity/dos/StoreDetail.java
+++ b/framework/src/main/java/cn/lili/modules/store/entity/dos/StoreDetail.java
@ -18,7 +18,10 @@ import lombok.NoArgsConstructor;
 import org.hibernate.validator.constraints.Length;
 import org.springframework.format.annotation.DateTimeFormat;
-import javax.validation.constraints.*;
+import javax.validation.constraints.Email;
 import javax.validation.constraints.Min;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.Size;
 import java.util.Date;
 /**