!56 修复获取售后信息无权限问题，修复xss忽略过滤转义问题

Merge pull request !56 from OceansDeep/feature/pg

buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java

@@ -74,8 +74,7 @@ public class AfterSaleBuyerController {
     })
     @GetMapping(value = "/applyAfterSaleInfo/{sn}")
     public ResultMessage<AfterSaleApplyVO> applyAfterSaleInfo(@PathVariable String sn) {
-        AfterSaleApplyVO afterSaleApplyVO = OperationalJudgment.judgment(afterSaleService.getAfterSaleVO(sn));
-        return ResultUtil.data(afterSaleApplyVO);
+        return ResultUtil.data(afterSaleService.getAfterSaleVO(sn));
     }
 
     @PostMapping(value = "/save/{orderItemSn}")

framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java

@@ -35,7 +35,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
      *
      * @todo 这里的参数应该更智能些，例如iv，前端的参数包含这两个字母就会放过，这是有问题的
      */
-    private static final String[] IGNORE_FIELD = {"logo", "url", "photo", "intro", "content", "name", "encrypted", "iv","mail"};
+    private static final String[] IGNORE_FIELD = {"logo", "url", "photo", "intro", "content", "name", "image", "encrypted", "iv","mail"};
 
     public XssHttpServletRequestWrapper(HttpServletRequest request) {
         super(request);
@@ -235,7 +235,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
     private String filterXss(String name, String value) {
         if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), IGNORE_FIELD)) {
             // 忽略的处理，（过滤敏感字符）
-            return HtmlUtil.filter(value);
+            return HtmlUtil.unescape(HtmlUtil.filter(value));
         } else {
             return cleanXSS(value);
         }

framework/src/main/java/cn/lili/modules/connect/serviceimpl/ConnectServiceImpl.java

@@ -4,16 +4,15 @@ import cn.hutool.json.JSONObject;
 import cn.hutool.json.JSONUtil;
 import cn.lili.cache.Cache;
 import cn.lili.cache.CachePrefix;
+import cn.lili.common.context.ThreadContextHolder;
+import cn.lili.common.enums.ClientTypeEnum;
 import cn.lili.common.enums.ResultCode;
 import cn.lili.common.exception.ServiceException;
 import cn.lili.common.security.AuthUser;
 import cn.lili.common.security.context.UserContext;
 import cn.lili.common.security.token.Token;
-import cn.lili.modules.member.token.MemberTokenGenerate;
 import cn.lili.common.utils.CookieUtil;
 import cn.lili.common.utils.StringUtils;
-import cn.lili.common.context.ThreadContextHolder;
-import cn.lili.common.enums.ClientTypeEnum;
 import cn.lili.modules.connect.entity.Connect;
 import cn.lili.modules.connect.entity.dto.ConnectAuthUser;
 import cn.lili.modules.connect.entity.dto.WechatMPLoginParams;
@@ -22,6 +21,7 @@ import cn.lili.modules.connect.mapper.ConnectMapper;
 import cn.lili.modules.connect.service.ConnectService;
 import cn.lili.modules.member.entity.dos.Member;
 import cn.lili.modules.member.service.MemberService;
+import cn.lili.modules.member.token.MemberTokenGenerate;
 import cn.lili.modules.system.entity.dos.Setting;
 import cn.lili.modules.system.entity.dto.connect.WechatConnectSetting;
 import cn.lili.modules.system.entity.dto.connect.dto.WechatConnectSettingItem;

framework/src/main/java/cn/lili/modules/member/entity/vo/MemberVO.java

@@ -3,12 +3,9 @@ package cn.lili.modules.member.entity.vo;
 import cn.lili.common.enums.ClientTypeEnum;
 import cn.lili.common.security.sensitive.Sensitive;
 import cn.lili.common.security.sensitive.enums.SensitiveStrategy;
-import com.baomidou.mybatisplus.annotation.FieldFill;
-import com.baomidou.mybatisplus.annotation.TableField;
 import com.fasterxml.jackson.annotation.JsonFormat;
 import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
-import org.springframework.data.annotation.CreatedDate;
 import org.springframework.format.annotation.DateTimeFormat;
 
 import java.io.Serializable;

framework/src/main/java/cn/lili/modules/order/order/serviceimpl/AfterSaleServiceImpl.java

@@ -136,7 +136,7 @@ public class AfterSaleServiceImpl extends ServiceImpl<AfterSaleMapper, AfterSale
         }
 
         //获取售后类型
-        Order order = orderService.getBySn(orderItem.getOrderSn());
+        Order order = OperationalJudgment.judgment(orderService.getBySn(orderItem.getOrderSn()));
 
         //订单未支付，不能申请申请售后
         if (order.getPaymentMethod() == null) {

framework/src/main/java/cn/lili/modules/store/entity/dos/StoreDetail.java

@@ -18,7 +18,10 @@ import lombok.NoArgsConstructor;
 import org.hibernate.validator.constraints.Length;
 import org.springframework.format.annotation.DateTimeFormat;
 
-import javax.validation.constraints.*;
+import javax.validation.constraints.Email;
+import javax.validation.constraints.Min;
+import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.Size;
 import java.util.Date;
 
 /**