update 优化 全局开启xss过滤 提高安全性 与cloud版本保持一致

ruoyi-admin/src/main/resources/application.yml

@@ -223,9 +223,10 @@ xss:
   # 过滤开关
   enabled: true
   # 排除链接（多个用逗号分隔）
-  excludes: /system/notice
+  excludeUrls:
-  # 匹配链接
+    - /system/notice
-  urlPatterns: /system/*,/monitor/*,/tool/*
+    - /workflow/model/save
+    - /workflow/model/editModelXml
 
 # 全局线程池相关配置
 # 如使用JDK21请直接使用虚拟线程 不要开启此配置

ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/config/FilterConfig.java

@@ -1,19 +1,15 @@
 package org.dromara.common.web.config;
 
-import org.dromara.common.core.utils.StringUtils;
+import jakarta.servlet.DispatcherType;
 import org.dromara.common.web.config.properties.XssProperties;
 import org.dromara.common.web.filter.RepeatableFilter;
 import org.dromara.common.web.filter.XssFilter;
-import jakarta.servlet.DispatcherType;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 
-import java.util.HashMap;
-import java.util.Map;
-
 /**
  * Filter配置
  *
@@ -30,12 +26,9 @@ public class FilterConfig {
         FilterRegistrationBean registration = new FilterRegistrationBean();
         registration.setDispatcherTypes(DispatcherType.REQUEST);
         registration.setFilter(new XssFilter());
-        registration.addUrlPatterns(StringUtils.split(xssProperties.getUrlPatterns(), StringUtils.SEPARATOR));
+        registration.addUrlPatterns("/*");
         registration.setName("xssFilter");
         registration.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE);
-        Map<String, String> initParameters = new HashMap<>();
-        initParameters.put("excludes", xssProperties.getExcludes());
-        registration.setInitParameters(initParameters);
         return registration;
     }
 

ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/config/properties/XssProperties.java

@@ -3,6 +3,9 @@ package org.dromara.common.web.config.properties;
 import lombok.Data;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 
+import java.util.ArrayList;
+import java.util.List;
+
 /**
  * xss过滤 配置属性
  *
@@ -13,18 +16,13 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
 public class XssProperties {
 
     /**
-     * 过滤开关
+     * Xss开关
      */
-    private String enabled;
+    private Boolean enabled;
 
     /**
-     * 排除链接（多个用逗号分隔）
+     * 排除路径
      */
-    private String excludes;
+    private List<String> excludeUrls = new ArrayList<>();
-
-    /**
-     * 匹配链接
-     */
-    private String urlPatterns;
 
 }

ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssFilter.java

@@ -1,6 +1,8 @@
 package org.dromara.common.web.filter;
 
+import org.dromara.common.core.utils.SpringUtils;
 import org.dromara.common.core.utils.StringUtils;
+import org.dromara.common.web.config.properties.XssProperties;
 import org.springframework.http.HttpMethod;
 
 import jakarta.servlet.*;
@@ -23,13 +25,8 @@ public class XssFilter implements Filter {
 
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
-        String tempExcludes = filterConfig.getInitParameter("excludes");
+        XssProperties properties = SpringUtils.getBean(XssProperties.class);
-        if (StringUtils.isNotEmpty(tempExcludes)) {
+        excludes.addAll(properties.getExcludeUrls());
-            String[] url = tempExcludes.split(StringUtils.SEPARATOR);
-            for (int i = 0; url != null && i < url.length; i++) {
-                excludes.add(url[i]);
-            }
-        }
     }
 
     @Override