XSS过滤排除非json类型

3 years ago · 93ee021b6e
1 changed files with 17 additions and 0 deletions
--- a/ruoyi-gateway/src/main/java/com/ruoyi/gateway/filter/XssFilter.java
+++ b/ruoyi-gateway/src/main/java/com/ruoyi/gateway/filter/XssFilter.java
@ -11,6 +11,7 @@ import org.springframework.core.io.buffer.DataBufferUtils;
				@@ -11,6 +11,7 @@ import org.springframework.core.io.buffer.DataBufferUtils;
 import org.springframework.core.io.buffer.NettyDataBufferFactory;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
 import org.springframework.stereotype.Component;
@ -45,6 +46,11 @@ public class XssFilter implements GlobalFilter, Ordered
				@@ -45,6 +46,11 @@ public class XssFilter implements GlobalFilter, Ordered
        {
            return chain.filter(exchange);
        }
+        // 非json类型，不过滤
+        if (!isJsonRequest(exchange))
+        {
+            return chain.filter(exchange);
+        }
        // excludeUrls 不过滤
        String url = request.getURI().getPath();
        if (StringUtils.matches(url, xss.getExcludeUrls()))
@ -95,6 +101,17 @@ public class XssFilter implements GlobalFilter, Ordered
				@@ -95,6 +101,17 @@ public class XssFilter implements GlobalFilter, Ordered
        return serverHttpRequestDecorator;
    }

+    /**
+     * 是否是Json请求
+     * 
+     * @param request
+     */
+    public boolean isJsonRequest(ServerWebExchange exchange)
+    {
+        String header = exchange.getRequest().getHeaders().getFirst(HttpHeaders.CONTENT_TYPE);
+        return StringUtils.startsWithIgnoreCase(header, MediaType.APPLICATION_JSON_VALUE);
+    }
+
    @Override
    public int getOrder()
    {