diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysNoticeController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysNoticeController.java index dc862be9..3da43269 100644 --- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysNoticeController.java +++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysNoticeController.java @@ -5,6 +5,7 @@ import org.apache.shiro.authz.annotation.RequiresPermissions; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; +import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.PostMapping; @@ -68,7 +69,7 @@ public class SysNoticeController extends BaseController @Log(title = "通知公告", businessType = BusinessType.INSERT) @PostMapping("/add") @ResponseBody - public AjaxResult addSave(SysNotice notice) + public AjaxResult addSave(@Validated SysNotice notice) { notice.setCreateBy(getLoginName()); return toAjax(noticeService.insertNotice(notice)); @@ -92,7 +93,7 @@ public class SysNoticeController extends BaseController @Log(title = "通知公告", businessType = BusinessType.UPDATE) @PostMapping("/edit") @ResponseBody - public AjaxResult editSave(SysNotice notice) + public AjaxResult editSave(@Validated SysNotice notice) { notice.setUpdateBy(getLoginName()); return toAjax(noticeService.updateNotice(notice)); diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java b/ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java index f3ff4d9f..4daf3261 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java @@ -11,6 +11,7 @@ import com.ruoyi.common.annotation.Excel.ColumnType; import com.ruoyi.common.annotation.Excel.Type; import com.ruoyi.common.annotation.Excels; import com.ruoyi.common.core.domain.BaseEntity; +import com.ruoyi.common.xss.Xss; /** * 用户对象 sys_user @@ -160,6 +161,7 @@ public class SysUser extends BaseEntity this.roleId = roleId; } + @Xss(message = "登录账号不能包含脚本字符") @NotBlank(message = "登录账号不能为空") @Size(min = 0, max = 30, message = "登录账号长度不能超过30个字符") public String getLoginName() @@ -172,6 +174,7 @@ public class SysUser extends BaseEntity this.loginName = loginName; } + @Xss(message = "用户昵称不能包含脚本字符") @Size(min = 0, max = 30, message = "用户昵称长度不能超过30个字符") public String getUserName() { diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/bean/BeanValidators.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/bean/BeanValidators.java new file mode 100644 index 00000000..d9821e0e --- /dev/null +++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/bean/BeanValidators.java @@ -0,0 +1,24 @@ +package com.ruoyi.common.utils.bean; + +import java.util.Set; +import javax.validation.ConstraintViolation; +import javax.validation.ConstraintViolationException; +import javax.validation.Validator; + +/** + * bean对象属性验证 + * + * @author ruoyi + */ +public class BeanValidators +{ + public static void validateWithException(Validator validator, Object object, Class... groups) + throws ConstraintViolationException + { + Set> constraintViolations = validator.validate(object, groups); + if (!constraintViolations.isEmpty()) + { + throw new ConstraintViolationException(constraintViolations); + } + } +} diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/xss/Xss.java b/ruoyi-common/src/main/java/com/ruoyi/common/xss/Xss.java new file mode 100644 index 00000000..14e43dc5 --- /dev/null +++ b/ruoyi-common/src/main/java/com/ruoyi/common/xss/Xss.java @@ -0,0 +1,27 @@ +package com.ruoyi.common.xss; + +import javax.validation.Constraint; +import javax.validation.Payload; +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +/** + * 自定义xss校验注解 + * + * @author ruoyi + */ +@Retention(RetentionPolicy.RUNTIME) +@Target(value = { ElementType.METHOD, ElementType.FIELD, ElementType.CONSTRUCTOR, ElementType.PARAMETER }) +@Constraint(validatedBy = { XssValidator.class }) +public @interface Xss +{ + String message() + + default "不允许任何脚本运行"; + + Class[] groups() default {}; + + Class[] payload() default {}; +} diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/xss/XssValidator.java b/ruoyi-common/src/main/java/com/ruoyi/common/xss/XssValidator.java new file mode 100644 index 00000000..43163721 --- /dev/null +++ b/ruoyi-common/src/main/java/com/ruoyi/common/xss/XssValidator.java @@ -0,0 +1,29 @@ +package com.ruoyi.common.xss; + +import javax.validation.ConstraintValidator; +import javax.validation.ConstraintValidatorContext; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +/** + * 自定义xss校验注解实现 + * + * @author ruoyi + */ +public class XssValidator implements ConstraintValidator +{ + private final String HTML_PATTERN = "<(\\S*?)[^>]*>.*?|<.*? />"; + + @Override + public boolean isValid(String value, ConstraintValidatorContext constraintValidatorContext) + { + return !containsHtml(value); + } + + public boolean containsHtml(String value) + { + Pattern pattern = Pattern.compile(HTML_PATTERN); + Matcher matcher = pattern.matcher(value); + return matcher.matches(); + } +} \ No newline at end of file diff --git a/ruoyi-system/src/main/java/com/ruoyi/system/domain/SysNotice.java b/ruoyi-system/src/main/java/com/ruoyi/system/domain/SysNotice.java index 7de4d946..b5c6187b 100644 --- a/ruoyi-system/src/main/java/com/ruoyi/system/domain/SysNotice.java +++ b/ruoyi-system/src/main/java/com/ruoyi/system/domain/SysNotice.java @@ -1,9 +1,11 @@ package com.ruoyi.system.domain; -import javax.validation.constraints.*; +import javax.validation.constraints.NotBlank; +import javax.validation.constraints.Size; import org.apache.commons.lang3.builder.ToStringBuilder; import org.apache.commons.lang3.builder.ToStringStyle; import com.ruoyi.common.core.domain.BaseEntity; +import com.ruoyi.common.xss.Xss; /** * 通知公告表 sys_notice @@ -44,6 +46,7 @@ public class SysNotice extends BaseEntity this.noticeTitle = noticeTitle; } + @Xss(message = "公告标题不能包含脚本字符") @NotBlank(message = "公告标题不能为空") @Size(min = 0, max = 50, message = "公告标题不能超过50个字符") public String getNoticeTitle() diff --git a/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java b/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java index a500f012..a28c7a4b 100644 --- a/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java +++ b/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java @@ -3,6 +3,7 @@ package com.ruoyi.system.service.impl; import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors; +import javax.validation.Validator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -17,6 +18,7 @@ import com.ruoyi.common.core.text.Convert; import com.ruoyi.common.exception.ServiceException; import com.ruoyi.common.utils.ShiroUtils; import com.ruoyi.common.utils.StringUtils; +import com.ruoyi.common.utils.bean.BeanValidators; import com.ruoyi.common.utils.security.Md5Utils; import com.ruoyi.common.utils.spring.SpringUtils; import com.ruoyi.system.domain.SysPost; @@ -58,6 +60,9 @@ public class SysUserServiceImpl implements ISysUserService @Autowired private ISysConfigService configService; + @Autowired + protected Validator validator; + /** * 根据条件分页查询用户列表 * @@ -489,6 +494,7 @@ public class SysUserServiceImpl implements ISysUserService SysUser u = userMapper.selectUserByLoginName(user.getLoginName()); if (StringUtils.isNull(u)) { + BeanValidators.validateWithException(validator, user); user.setPassword(Md5Utils.hash(user.getLoginName() + password)); user.setCreateBy(operName); this.insertUser(user); @@ -497,6 +503,7 @@ public class SysUserServiceImpl implements ISysUserService } else if (isUpdateSupport) { + BeanValidators.validateWithException(validator, user); user.setUpdateBy(operName); this.updateUser(user); successNum++;