新增xss过滤开关

2018-08-10 18:12:28 +08:00 · 2018-08-10 18:12:28 +08:00 · e8eaeadbb0
parent bb7799c1aa
commit e8eaeadbb0
2 changed files with 20 additions and 5 deletions
--- a/src/main/java/com/ruoyi/common/xss/XssFilter.java
+++ b/src/main/java/com/ruoyi/common/xss/XssFilter.java
@ -14,6 +14,7 @@ import javax.servlet.ServletResponse;
 import javax.servlet.annotation.WebFilter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import com.ruoyi.common.utils.StringUtils;

 /**
 * 防止XSS攻击的过滤器
@ -23,24 +24,33 @@ import javax.servlet.http.HttpServletResponse;
@WebFilter(filterName = "xssFilter", urlPatterns = "/system/*")
 public class XssFilter implements Filter
 {
-
    /**
     * 排除链接
     */
    public List<String> excludes = new ArrayList<>();

+    /**
+     * xss过滤开关
+     */
+    public boolean xssEbabled = false;
+
    @Override
    public void init(FilterConfig filterConfig) throws ServletException
    {
-        String temp = filterConfig.getInitParameter("excludes");
-        if (temp != null)
+        String tempExcludes = filterConfig.getInitParameter("excludes");
+        String tempXssEbabled = filterConfig.getInitParameter("xssEbabled");
+        if (tempExcludes != null)
        {
-            String[] url = temp.split(",");
+            String[] url = tempExcludes.split(",");
            for (int i = 0; url != null && i < url.length; i++)
            {
                excludes.add(url[i]);
            }
        }
+        if (StringUtils.isNotEmpty(tempXssEbabled))
+        {
+            xssEbabled = Boolean.valueOf(tempXssEbabled);
+        }
    }

    @Override
@ -64,6 +74,10 @@ public class XssFilter implements Filter
        {
            return false;
        }
+        if (!xssEbabled)
+        {
+            return true;
+        }
        String url = request.getServletPath();
        for (String pattern : excludes)
        {
--- a/src/main/java/com/ruoyi/framework/config/FilterConfig.java
+++ b/src/main/java/com/ruoyi/framework/config/FilterConfig.java
@ -27,7 +27,8 @@ public class FilterConfig
        registration.setName("xssFilter");
        registration.setOrder(Integer.MAX_VALUE);
        Map<String, String> initParameters = Maps.newHashMap();
-        initParameters.put("excludes", "/system/notice/*");
+        initParameters.put("excludes", "/system/notice/*,/img/*,/css/*,/fonts/*,/js/*,/ajax/*,/ruoyi/*");
+        initParameters.put("xssEbabled", "false");
        registration.setInitParameters(initParameters);
        return registration;
    }