润德漏洞修复

src/main/java/com/sooka/common/upload/UploadComponent.java

@@ -23,6 +23,9 @@ import javax.servlet.http.HttpServletRequest;
 import java.io.BufferedOutputStream;
 import java.io.File;
 import java.io.FileOutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.Date;
 import java.util.UUID;
 
@@ -180,11 +183,61 @@ public class UploadComponent {
       return UUID.randomUUID().toString().replace("-","") + "." + fileType;
     }
 
-    public  String getNewFileName(String fileName){
-        JDateTime jt = new JDateTime();
-        return File.separator + "upload" + File.separator + jt.getYear()
-                + File.separator + jt.getMonth() + File.separator + jt.getDay() + File.separator + fileName;
-    }
+//    public  String getNewFileName(String fileName){
+//        JDateTime jt = new JDateTime();
+//        return File.separator + "upload" + File.separator + jt.getYear()
+//                + File.separator + jt.getMonth() + File.separator + jt.getDay() + File.separator + fileName;
+//    }
+        public static String getNewFileName(String fileName) {
+            // 执行文件扩展名和MIME类型验证
+//            if (!isValidFileName(fileName)) {
+//                throw new IllegalArgumentException("无效的文件名或MIME类型");
+//            }
+            String newFileName = generateUniqueFileName(fileName);
+            JDateTime jt = new JDateTime();
+            return File.separator + "upload" + File.separator + jt.getYear()
+                    + File.separator + jt.getMonth() + File.separator + jt.getDay() + File.separator + newFileName;
+        }
+            private static String generateUniqueFileName(String fileName) {
+                String baseName = fileName.substring(0, fileName.lastIndexOf('.'));
+                String extension = fileName.substring(fileName.lastIndexOf('.'));
+                JDateTime jt = new JDateTime();
+                String timestamp = String.valueOf(jt.getTimeInMillis());
+                return baseName + "_" + timestamp + extension;
+            }
+            private static boolean isValidFileName(String fileName) {
+                String[] allowedExtensions = {".jpg", ".jpeg", ".png", ".gif", ".pdf"};
+                String mimeType;
+                try {
+                    Path filePath = Paths.get(fileName);
+                    mimeType = Files.probeContentType(filePath);
+                } catch (Exception e) {
+                    return false; // 文件不存在或读取失败
+                }
+                if (mimeType != null) {
+                    for (String allowedExtension : allowedExtensions) {
+                        if (mimeType.equals(getMimeTypeFromExtension(allowedExtension))) {
+                            return true;
+                        }
+                    }
+                }
+                return false;
+            }
+            private static String getMimeTypeFromExtension(String extension) {
+                switch (extension) {
+                    case ".jpg":
+                    case ".jpeg":
+                        return "image/jpeg";
+                    case ".png":
+                        return "image/png";
+                    case ".gif":
+                        return "image/gif";
+                    case ".pdf":
+                        return "application/pdf";
+                    default:
+                        return "";
+                }
+            }
 
     public  String getFileType(String fileName) {
         String type = fileName.substring(fileName.lastIndexOf(".") + 1);

src/main/java/com/sooka/common/upload/UploadController.java

@@ -8,6 +8,7 @@ import com.sooka.module.web.system.service.AttachmentService;
 import com.sooka.mybatis.model.TSysAttachment;
 import com.sooka.common.exception.CmsException;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.FileCopyUtils;
 import org.springframework.web.bind.annotation.*;
@@ -15,12 +16,15 @@ import org.springframework.web.multipart.MultipartFile;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.FileInputStream;
+import java.io.IOException;
 import java.net.URLEncoder;
 
 
 @Controller
 public class UploadController {
 
+    @Value("${data-file-size-limit}")
+    private long dataFileSizeLimit;
     @Autowired
     private UploadComponent uploadComponent;
 
@@ -30,13 +34,16 @@ public class UploadController {
     @RequestMapping("/uploads")
     @ResponseBody
     public String upload(@RequestParam("file") MultipartFile multipartFile,
-                         HttpServletRequest request){
+                         HttpServletRequest request) throws IOException {
+        if (multipartFile.getSize() > dataFileSizeLimit) {
+            return JsonUtil.toUploadRROR("上传失败！文件大于限制大小");
+        }
         UploadBean result = uploadComponent.uploadFile(multipartFile,request);
-
         return JsonUtil.toUploadSUCCESS("上传成功！",result.getFileUrl());
     }
 
 
+
     @RequestMapping("/uploads/wangEditorUpload")
     @ResponseBody
     public String WangEditorUpload(@RequestParam("file") MultipartFile multipartFile,

src/main/java/com/sooka/module/web/cms/CategoryController.java

@@ -12,13 +12,16 @@ import com.sooka.mybatis.model.TCmsModel;
 import com.sooka.module.web.cms.service.CategoryService;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import java.lang.reflect.Field;
 import java.util.List;
+import java.util.regex.Pattern;
 
 /**
  * Description:内容
@@ -29,7 +32,8 @@ import java.util.List;
 @Controller
 @RequestMapping("/system/cms/category")
 public class CategoryController {
-
+    @Value("${allowed-characters}")
+    private String allowedcharacters;
     @Autowired
     private CategoryService categoryService;
 
@@ -60,15 +64,67 @@ public class CategoryController {
     @RequiresPermissions("category:save")
     @RequestMapping("/save")
     @ResponseBody
-    public String save(TCmsCategory pojo)  {
+    public String save(TCmsCategory pojo) {
         UserVo userVo = UserUtil.getSysUserVo();
         pojo.setSiteId(userVo.getSiteId());
-        if(pojo.getCategoryId()!=null) {
-            return   categoryService.update(pojo);
+
+        // 检查对象是否不为空
+        if (pojo.getCategoryId() != null) {
+            cleanSpecialCharacters(pojo);
+            return categoryService.update(pojo);
+        } else {
+            cleanSpecialCharacters(pojo);
+            return categoryService.save(pojo);
+        }
+    }
+
+    private void cleanSpecialCharacters(TCmsCategory pojo) {
+        // 检查对象是否不为空
+        if (pojo != null) {
+            // 遍历TCmsCategory类中的所有字段
+            for (Field field : TCmsCategory.class.getDeclaredFields()) {
+                // 使字段可访问以获取和设置其值
+                field.setAccessible(true);
+                try {
+                    // 获取字段的当前值
+                    Object value = field.get(pojo);
+                    // 如果值是字符串并包含特殊字符，则直接禁止存储
+                    if (value instanceof String) {
+                        String originalValue = (String) value;
+                        if (containsIllegalCharacters(originalValue)) {
+                            String illegalCharacters = findIllegalCharacters(originalValue, allowedcharacters);
+                            throw new IllegalArgumentException("上传失败！禁止录入非法字符 " + illegalCharacters);
+                        }
+                    }
+                } catch (IllegalAccessException e) {
+                    e.printStackTrace(); // 根据需要处理异常
+                }
+            }
         }
-        return categoryService.save(pojo);
+    }
+    private boolean containsIllegalCharacters(String value) {
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                return true;
+            }
+        }
+        return false;
     }
 
+    private String findIllegalCharacters(String value, String allowedcharacters) {
+        StringBuilder illegalCharacters = new StringBuilder();
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                illegalCharacters.append(item).append(", ");
+            }
+        }
+        // 删除最后的逗号和空格
+        if (illegalCharacters.length() > 0) {
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+        }
+        return illegalCharacters.toString();
+    }
     @SysLog("栏目删除")
     @RequiresPermissions("category:delete")
     @RequestMapping("/delete")

src/main/java/com/sooka/module/web/cms/ContentController.java

@@ -18,6 +18,7 @@ import org.apache.shiro.authz.UnauthenticatedException;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.apache.shiro.subject.Subject;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.beans.propertyeditors.CustomDateEditor;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@@ -29,13 +30,12 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.servlet.ModelAndView;
 
 import javax.servlet.http.HttpServletRequest;
+import java.lang.reflect.Field;
 import java.sql.SQLException;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
+import java.util.regex.Pattern;
 
 /**
  * Description:内容管理控制器
@@ -47,6 +47,12 @@ import java.util.Map;
 @RequestMapping("/system/cms/content")
 public class ContentController{
 
+    @Value("${allowed-characters}")
+    private String allowedcharacters;
+
+    @Value("${allowed-characters-for-content}")
+    private String  allowedcharactersforcontent;
+
     @Autowired
     private ContentService contentService;
 
@@ -182,6 +188,25 @@ public class ContentController{
             }else {
                 String filedValue = request.getParameter(filed.getFiledName());
                 if (!StrUtil.isBlank(filedValue)) {
+                    // 第一轮核验，检查是否含有不允许的字符
+                    for (String item : allowedcharactersforcontent.split(",")) {
+                        if (filedValue.contains(item)) {
+                            throw new IllegalArgumentException("上传失败！禁止录入非法字符 " + item);
+
+                        }
+                    }
+
+                    // 第二轮核验，进行字符替换
+                    for (String item : allowedcharactersforcontent.split(",")) {
+                        item = item.replace(" ", "");
+                        item = item.replace("<", "&lt;");
+                        item = item.replace(">", "&gt;");
+                        if (filedValue.contains(item)) {
+                            throw new IllegalArgumentException("上传失败！禁止录入非法字符 " + item);
+                        }
+                    }
+
+                    // 如果不含非法字符，则存储值
                     formParam.put(filed.getFiledName(), filedValue);
                 }
             }
@@ -191,10 +216,61 @@ public class ContentController{
             content.setTitle(formParam.get("name").toString());
         }
         if(content.getContentId()!=null) {
+            checkAndSave(content);
             return contentService.update(content,cmsModel.getTableName(),cmsModelFileds,formParam,tags);
         }
+        checkAndSave(content);
         return contentService.save(content,cmsModel.getTableName(),formParam,tags);
     }
+    private void checkAndSave(TCmsContent content) {
+        // 检查对象是否不为空
+        if (content != null) {
+            // 遍历TCmsTopic类中的所有字段
+            for (Field field : TCmsContent.class.getDeclaredFields()) {
+                // 使字段可访问以获取和设置其值
+                field.setAccessible(true);
+                try {
+                    // 获取字段的当前值
+                    Object value = field.get(content);
+                    // 如果值是字符串并包含特殊字符，则直接禁止存储
+                    if (value instanceof String) {
+                        String originalValue = (String) value;
+                        if (containsIllegalCharacters(originalValue)) {
+                            String illegalCharacters = findIllegalCharacters(originalValue, allowedcharacters);
+                            throw new IllegalArgumentException("上传失败！禁止录入非法字符 " + illegalCharacters);
+                        }
+                    }
+                } catch (IllegalAccessException e) {
+                    e.printStackTrace(); // 根据需要处理异常
+                }
+            }
+        }
+    }
+
+    private boolean containsIllegalCharacters(String value) {
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private String findIllegalCharacters(String value, String allowedcharacters) {
+        StringBuilder illegalCharacters = new StringBuilder();
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                illegalCharacters.append(item).append(", ");
+            }
+        }
+        // 删除最后的逗号和空格
+        if (illegalCharacters.length() > 0) {
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+        }
+        return illegalCharacters.toString();
+    }
+
 
     @SysLog("内容删除")
     @RequiresPermissions("content:delete")

src/main/java/com/sooka/module/web/cms/FrientlinkController.java

@@ -1,6 +1,7 @@
 package com.sooka.module.web.cms;
 
 import com.github.pagehelper.PageInfo;
+import com.sooka.common.utils.JsonUtil;
 import com.sooka.common.utils.StrUtil;
 import com.sooka.module.web.cms.service.FriendlinkService;
 import com.sooka.mybatis.model.TCmsFriendlink;
@@ -37,17 +38,53 @@ public class FrientlinkController{
     }
 
 
+//    @RequestMapping("/save")
+//    @ResponseBody
+//    public String save(TCmsFriendlink pojo) {
+//
+//       if(StrUtil.isBlank(pojo.getImg())) {
+//           pojo.setImg(null);
+//       }
+//        if(pojo.getId()!=null) {
+//            return friendlinkService.update(pojo);
+//        }
+//        return friendlinkService.save(pojo);
+ //   }
     @RequestMapping("/save")
     @ResponseBody
     public String save(TCmsFriendlink pojo) {
-       if(StrUtil.isBlank(pojo.getImg())) {
-           pojo.setImg(null);
-       }
-        if(pojo.getId()!=null) {
+        if(StrUtil.isBlank(pojo.getImg())) {
+            pojo.setImg(null);
+        }
+        // 对linkName进行限制
+        if (!isValidLinkName(pojo.getLinkName())) {
+            return JsonUtil.toUploadRROR("上传失败！名称必须为英文或中文");
+        }
+        // 对linkUrl进行限制
+        if (!isValidLinkUrl(pojo.getLinkUrl())) {
+            return JsonUtil.toUploadRROR("上传失败！请检查链接格式和字数是否超过50个字");
+        }
+        if(pojo.getId() != null) {
             return friendlinkService.update(pojo);
         }
         return friendlinkService.save(pojo);
     }
+    private boolean isValidLinkName(String linkName) {
+        // 使用正则表达式验证linkName是否为英文、中文或数字
+        String regex = "^[a-zA-Z0-9\\u4e00-\\u9fa5]+$";
+        return linkName.matches(regex);
+    }
+    private boolean isValidLinkUrl(String linkUrl) {
+        // 使用正则表达式验证linkUrl是否以http或https头开始的URL
+        String regex = "^(http|https)://.*$";
+        boolean isValid = linkUrl.matches(regex);
+
+        if (linkUrl.length() > 50) {
+            return false;
+        }
+        return isValid;
+    }
+
 
 
     @RequestMapping("/delete")

src/main/java/com/sooka/module/web/cms/SiteController.java

@@ -51,6 +51,7 @@ public class SiteController{
             model.addAttribute("site",siteService.findVoById(Id));
         }
         return "cms/site_input";
+
     }
 
     @RequiresPermissions("site:save")

src/main/java/com/sooka/module/web/cms/TopicController.java

@@ -12,10 +12,13 @@ import com.sooka.mybatis.model.TCmsContent;
 import com.sooka.mybatis.model.TCmsSite;
 import com.sooka.mybatis.model.TCmsTopic;
 
+import java.lang.reflect.Field;
 import java.util.List;
+import java.util.regex.Pattern;
 
 import org.apache.shiro.authz.UnauthenticatedException;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -31,7 +34,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @Controller
 @RequestMapping("/system/cms/topic")
 public class TopicController extends BaseController<TCmsTopic> {
-
+    @Value("${allowed-characters}")
+    private String allowedcharacters;
     @Autowired
     private SiteService siteService;
 	
@@ -67,10 +71,65 @@ public class TopicController extends BaseController<TCmsTopic> {
     @RequestMapping("/save")
     @ResponseBody
     public String save(TCmsTopic pojo) {
-        if(pojo.getTopicId()!=null) {
+        if (pojo.getTopicId() != null) {
+            checkAndSave(pojo);
             return topicService.update(pojo);
+        } else {
+            checkAndSave(pojo);
+            return topicService.save(pojo);
+        }
+    }
+
+
+
+
+    private void checkAndSave(TCmsTopic pojo) {
+        // 检查对象是否不为空
+        if (pojo != null) {
+            // 遍历TCmsTopic类中的所有字段
+            for (Field field : TCmsTopic.class.getDeclaredFields()) {
+                // 使字段可访问以获取和设置其值
+                field.setAccessible(true);
+                try {
+                    // 获取字段的当前值
+                    Object value = field.get(pojo);
+                    // 如果值是字符串并包含特殊字符，则直接禁止存储
+                    if (value instanceof String) {
+                        String originalValue = (String) value;
+                        if (containsIllegalCharacters(originalValue)) {
+                            String illegalCharacters = findIllegalCharacters(originalValue, allowedcharacters);
+                            throw new IllegalArgumentException("上传失败！禁止录入非法字符 " + illegalCharacters);
+                        }
+                    }
+                } catch (IllegalAccessException e) {
+                    e.printStackTrace(); // 根据需要处理异常
+                }
+            }
+        }
+    }
+
+    private boolean containsIllegalCharacters(String value) {
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private String findIllegalCharacters(String value, String allowedcharacters) {
+        StringBuilder illegalCharacters = new StringBuilder();
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                illegalCharacters.append(item).append(", ");
+            }
+        }
+        // 删除最后的逗号和空格
+        if (illegalCharacters.length() > 0) {
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
         }
-        return topicService.save(pojo);
+        return illegalCharacters.toString();
     }
 
     @RequestMapping("/delete")

src/main/java/com/sooka/module/web/system/OrganizationController.java

@@ -1,9 +1,11 @@
 package com.sooka.module.web.system;
 
 import com.sooka.module.web.system.service.OrganizationService;
+import com.sooka.mybatis.model.TCmsTopic;
 import com.sooka.mybatis.model.TSysOrg;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -11,6 +13,9 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import java.lang.reflect.Field;
+import java.util.regex.Pattern;
+
 /**
  * Description:
  *
@@ -20,7 +25,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @Controller
 @RequestMapping("/system/org")
 public class OrganizationController {
-
+    @Value("${allowed-characters}")
+    private String allowedcharacters;
     @Autowired
     private OrganizationService organizationService;
 
@@ -44,11 +50,64 @@ public class OrganizationController {
     @ResponseBody
     public String save(TSysOrg pojo){
         if(pojo.getId()!=null) {
+            cleanSpecialCharacters(pojo);
             return organizationService.update(pojo);
         }
+        cleanSpecialCharacters(pojo);
         return organizationService.save(pojo);
     }
 
+    private void cleanSpecialCharacters(TSysOrg pojo) {
+        // 检查对象是否不为空
+        if (pojo != null) {
+            // 遍历TCmsTopic类中的所有字段
+            for (Field field : TSysOrg.class.getDeclaredFields()) {
+                // 使字段可访问以获取和设置其值
+                field.setAccessible(true);
+                try {
+                    // 获取字段的当前值
+                    Object value = field.get(pojo);
+                    // 如果值是字符串并包含特殊字符，则直接禁止存储
+                    if (value instanceof String) {
+                        String originalValue = (String) value;
+                        if (containsIllegalCharacters(originalValue)) {
+                            String illegalCharacters = findIllegalCharacters(originalValue, allowedcharacters);
+                            throw new IllegalArgumentException("上传失败！禁止录入非法字符 " + illegalCharacters);
+                        }
+                    }
+                } catch (IllegalAccessException e) {
+                    e.printStackTrace(); // 根据需要处理异常
+                }
+            }
+        }
+    }
+
+
+
+    private boolean containsIllegalCharacters(String value) {
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private String findIllegalCharacters(String value, String allowedcharacters) {
+        StringBuilder illegalCharacters = new StringBuilder();
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                illegalCharacters.append(item).append(", ");
+            }
+        }
+        // 删除最后的逗号和空格
+        if (illegalCharacters.length() > 0) {
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+        }
+        return illegalCharacters.toString();
+    }
+
     @RequiresPermissions("department:delete")
     @RequestMapping("/delete")
     @ResponseBody

src/main/java/com/sooka/module/web/system/PermissionController.java

@@ -2,8 +2,10 @@ package com.sooka.module.web.system;
 
 import com.sooka.module.web.system.service.RoleService;
 import com.sooka.mybatis.model.TSysPermission;
+import com.sooka.mybatis.model.TSysRole;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -11,6 +13,9 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import java.lang.reflect.Field;
+import java.util.regex.Pattern;
+
 /**
  * Description:权限Controller
  *
@@ -20,7 +25,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @Controller
 @RequestMapping("/system/permission")
 public class PermissionController {
-
+    @Value("${allowed-characters}")
+    private String allowedcharacters;
     @Autowired
     private RoleService roleService;
 
@@ -47,12 +53,63 @@ public class PermissionController {
     public String save(TSysPermission permission){
 
         if(permission.getPermissionId()!=null) {
+            cleanSpecialCharacters(permission);
             return roleService.update(permission);
         }
+        cleanSpecialCharacters(permission);
         return roleService.save(permission);
 
     }
+    private void cleanSpecialCharacters(TSysPermission permission) {
+        // 检查对象是否不为空
+        if (permission != null) {
+            // 遍历TCmsTopic类中的所有字段
+            for (Field field : TSysPermission.class.getDeclaredFields()) {
+                // 使字段可访问以获取和设置其值
+                field.setAccessible(true);
+                try {
+                    // 获取字段的当前值
+                    Object value = field.get(permission);
+                    // 如果值是字符串并包含特殊字符，则直接禁止存储
+                    if (value instanceof String) {
+                        String originalValue = (String) value;
+                        if (containsIllegalCharacters(originalValue)) {
+                            String illegalCharacters = findIllegalCharacters(originalValue, allowedcharacters);
+                            throw new IllegalArgumentException("上传失败！禁止录入非法字符 " + illegalCharacters);
+                        }
+                    }
+                } catch (IllegalAccessException e) {
+                    e.printStackTrace(); // 根据需要处理异常
+                }
+            }
+        }
+    }
+
+
+
+    private boolean containsIllegalCharacters(String value) {
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                return true;
+            }
+        }
+        return false;
+    }
 
+    private String findIllegalCharacters(String value, String allowedcharacters) {
+        StringBuilder illegalCharacters = new StringBuilder();
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                illegalCharacters.append(item).append(", ");
+            }
+        }
+        // 删除最后的逗号和空格
+        if (illegalCharacters.length() > 0) {
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+        }
+        return illegalCharacters.toString();
+    }
     @RequiresPermissions("permission:delete")
     @RequestMapping("/delete")
     @ResponseBody

src/main/java/com/sooka/module/web/system/RoleController.java

@@ -1,15 +1,20 @@
 package com.sooka.module.web.system;
 
+import com.sooka.mybatis.model.TSysOrg;
 import com.sooka.mybatis.model.TSysRole;
 import com.sooka.module.web.system.service.RoleService;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import java.lang.reflect.Field;
+import java.util.regex.Pattern;
+
 /**
  * Description:角色控制器
  *
@@ -19,7 +24,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @Controller
 @RequestMapping("/system/role")
 public class RoleController {
-
+    @Value("${allowed-characters}")
+    private String allowedcharacters;
     @Autowired
     RoleService roleService;
 
@@ -48,11 +54,62 @@ public class RoleController {
     @ResponseBody
     public String input(TSysRole role,@RequestParam(value = "permissionId",required = false) Integer[] permissionId) {
         if(role.getRoleId()!=null) {
+            cleanSpecialCharacters(role);
             return roleService.update(role,permissionId);
         }
+        cleanSpecialCharacters(role);
         return roleService.save(role,permissionId);
     }
+    private void cleanSpecialCharacters(TSysRole role) {
+        // 检查对象是否不为空
+        if (role != null) {
+            // 遍历TCmsTopic类中的所有字段
+            for (Field field : TSysRole.class.getDeclaredFields()) {
+                // 使字段可访问以获取和设置其值
+                field.setAccessible(true);
+                try {
+                    // 获取字段的当前值
+                    Object value = field.get(role);
+                    // 如果值是字符串并包含特殊字符，则直接禁止存储
+                    if (value instanceof String) {
+                        String originalValue = (String) value;
+                        if (containsIllegalCharacters(originalValue)) {
+                            String illegalCharacters = findIllegalCharacters(originalValue, allowedcharacters);
+                            throw new IllegalArgumentException("上传失败！禁止录入非法字符 " + illegalCharacters);
+                        }
+                    }
+                } catch (IllegalAccessException e) {
+                    e.printStackTrace(); // 根据需要处理异常
+                }
+            }
+        }
+    }
+
+
+
+    private boolean containsIllegalCharacters(String value) {
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                return true;
+            }
+        }
+        return false;
+    }
 
+    private String findIllegalCharacters(String value, String allowedcharacters) {
+        StringBuilder illegalCharacters = new StringBuilder();
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                illegalCharacters.append(item).append(", ");
+            }
+        }
+        // 删除最后的逗号和空格
+        if (illegalCharacters.length() > 0) {
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+        }
+        return illegalCharacters.toString();
+    }
     @RequiresPermissions({"role:delete"})
     @RequestMapping("/delete")
     @ResponseBody

src/main/java/com/sooka/module/web/system/SystemController.java

@@ -24,6 +24,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 import java.util.Map;
 
 
@@ -78,10 +80,28 @@ public class SystemController {
     }
 
 
+//    @FormToken
+//    @RequestMapping("/${system.login.path}/doLogin")
+//    @ResponseBody
+//    public Map<String, Object> doLogin(
+//            HttpServletRequest request,
+//            @RequestParam(value = "verifyCode",required = false) String verifyCode,
+//            @RequestParam(value = "username",required = false) String username,
+//            @RequestParam(value = "password",required = false) String password,
+//            @RequestParam(value = "remberMe",required = false,defaultValue = "") String remberMe){
+//
+//        /* 临时验证码验证 */
+//        if(StrUtil.isBlank(verifyCode)|| !ControllerUtil.validate(verifyCode,request)) {
+//            return JsonUtil.toMAP(false,"验证码输入错误");
+//        }
+//        return userService.login(request,username,password,remberMe);
+//
+//    }
+
+
     /**
      *后台登陆提提交地址
      * @param username
-     * @param password
      * @param remberMe
      * @return
      */
@@ -91,19 +111,25 @@ public class SystemController {
     @ResponseBody
     public Map<String, Object> doLogin(
             HttpServletRequest request,
-            @RequestParam(value = "verifyCode",required = false) String verifyCode,
-            @RequestParam(value = "username",required = false) String username,
-            @RequestParam(value = "password",required = false) String password,
-            @RequestParam(value = "remberMe",required = false,defaultValue = "") String remberMe){
+            @RequestParam(value = "verifyCode", required = false) String verifyCode,
+            @RequestParam(value = "username", required = false) String username,
+            @RequestParam(value = "password", required = false) String encodedPassword, // 改为接收加密后的密码
+            @RequestParam(value = "remberMe", required = false, defaultValue = "") String remberMe) {
 
         /* 临时验证码验证 */
-        if(StrUtil.isBlank(verifyCode)|| !ControllerUtil.validate(verifyCode,request)) {
-            return JsonUtil.toMAP(false,"验证码输入错误");
+        if (StrUtil.isBlank(verifyCode) || !ControllerUtil.validate(verifyCode, request)) {
+            return JsonUtil.toMAP(false, "验证码输入错误");
         }
-        return userService.login(request,username,password,remberMe);
-
+        // 解密密码
+        String password = simpleDecrypt(encodedPassword);
+        return userService.login(request, username, password, remberMe);
+    }
+    // 简单的密码解密函数
+    private String simpleDecrypt(String encodedPassword) {
+        // 使用Base64解码还原原始密码
+        byte[] decodedBytes = Base64.getDecoder().decode(encodedPassword);
+        return new String(decodedBytes, StandardCharsets.UTF_8);
     }
-
     @FormToken
     @RequestMapping("/ajax/doLogin")
     @ResponseBody

src/main/java/com/sooka/module/web/system/UserController.java

@@ -7,6 +7,7 @@ import com.sooka.module.web.system.service.SysUserService;
 import com.sooka.module.web.system.vo.UserVo;
 import com.sooka.mybatis.model.TSysUser;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -24,7 +25,8 @@ import org.springframework.web.servlet.ModelAndView;
 @Controller
 @RequestMapping("/system/user")
 public class UserController {
-
+    @Value("${allowed-characters}")
+    private String allowedcharacters;
     @Autowired
     private SysUserService sysUserService;
 
@@ -63,14 +65,59 @@ public class UserController {
         return "system/admin_input";
     }
 
-    /* 后台用户更新 */
     @RequestMapping("/update")
     @ResponseBody
-    public String update(TSysUser user,@RequestParam(value = "roleId",required = false) Integer[] roleIds,@RequestParam(value = "orgId",required = false) String orgIds ){
-        if(user.getUserId()!=null) {
-            return sysUserService.update(user,roleIds,orgIds);
+    public String update(TSysUser user, @RequestParam(value = "roleId", required = false) Integer[] roleIds, @RequestParam(value = "orgId", required = false) String orgIds) {
+        if (user.getUserId() != null) {
+            removeSpecialCharacters(user);
+            return sysUserService.update(user, roleIds, orgIds);
+        }
+        removeSpecialCharacters(user);
+        return sysUserService.save(user, roleIds, orgIds);
+    }
+
+    private void removeSpecialCharacters(TSysUser user) {
+        // 检查对象是否不为空
+        if (user != null) {
+            // 检查用户名是否包含非法字符
+            if (containsIllegalCharacters(user.getUsername())) {
+                String illegalCharacters = findIllegalCharacters(user.getUsername(), allowedcharacters);
+                throw new IllegalArgumentException("上传失败！禁止录入非法字符 " + illegalCharacters);
+
+            }
+
+            // 如果还有其他字段需要处理，可以继续添加类似的逻辑
+            if (containsIllegalCharacters(user.getDes())) {
+                String illegalCharacters = findIllegalCharacters(user.getDes(), allowedcharacters);
+                throw new IllegalArgumentException("上传失败！禁止录入非法字符 " + illegalCharacters);
+            }
+
+            // 添加其他字段的处理逻辑，以此类推
+        }
+    }
+
+    private boolean containsIllegalCharacters(String value) {
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private String findIllegalCharacters(String value, String allowedcharacters) {
+        StringBuilder illegalCharacters = new StringBuilder();
+        for (String item : allowedcharacters.split(",")) {
+            if (value.contains(item)) {
+                illegalCharacters.append(item).append(", ");
+            }
+        }
+        // 删除最后的逗号和空格
+        if (illegalCharacters.length() > 0) {
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
+            illegalCharacters.deleteCharAt(illegalCharacters.length() - 1);
         }
-        return sysUserService.save(user,roleIds,orgIds);
+        return illegalCharacters.toString();
     }
 
 

src/main/resources/static/BJUI/js/jquery.cookie.js

@@ -73,7 +73,11 @@ jQuery.cookie = function(name, value, options) {
         var path = options.path ? '; path=' + options.path : '';
         var domain = options.domain ? '; domain=' + options.domain : '';
         var secure = options.secure ? '; secure' : '';
+        // 设置特定的cookie
+        document.cookie = "myCookie=myValue; path=/; HttpOnly";
+        // 设置其他cookie
         document.cookie = [name, '=', encodeURIComponent(value), expires, path, domain, secure].join('');
+
     } else { // only name given, get cookie
         var cookieValue = null;
         if (document.cookie && document.cookie != '') {
@@ -89,4 +93,4 @@ jQuery.cookie = function(name, value, options) {
         }
         return cookieValue;
     }
-};
+};

src/main/resources/static/www/rdjt/scripts/pub.js

@@ -890,15 +890,21 @@ function openDateDialog(objectID) {
 /************************************
 purpose      : 设置cookie，以下为cookie相关的操作
 ************************************/
-function setCookie(name,value,expiry,path,domain,secure){
-	var nameString = name + "=" + value;
-	var expiryString = (expiry == null) ? "" : " ;expires = "+ expiry.toGMTString();
-	var pathString = (path == null) ? "" : " ;path = "+ path;
-	var domainString = (path == null) ? "" : " ;domain = "+ domain;
-	var secureString = (secure) ?";secure" :"";
-	document.cookie = nameString + expiryString + pathString + domainString + secureString;
+function setCookie(name, value, expiry, path, domain, secure) {
+    var nameString = name + "=" + value;
+    var expiryString = (expiry == null) ? "" : "; expires=" + expiry.toGMTString();
+    var pathString = (path == null) ? "" : "; path=" + path;
+    var domainString = (domain == null) ? "" : "; domain=" + domain;
+    var secureString = (secure) ? "; secure" : "";
+
+    // 直接将特定的cookie字符串设置到document.cookie中
+    document.cookie = nameString + expiryString + pathString + domainString + secureString;
 }
 
+// 调用函数设置特定的cookie
+setCookie("myCookie", "myValue", null, "/", null, true);
+
+
 function getCookie (name) {
 	var CookieFound = false;
 	var start = 0;

src/main/resources/templates/cms/category_input.html

@@ -112,7 +112,8 @@
         <div class="form-group">
             <label for="pageSize" class="control-label x85">分页大小：</label>
             <input type="text"  id="pageSize" name="pageSize" size="30"
-                   value="${pojo.pageSize!}"  data-rule="required;integer(+)"  placeholder="分页大小">
+                   value="${pojo.pageSize!}"  data-rule="required;integer(+)"  placeholder="分页大小"  oninput="this.value = this.value.replace(/[^0-9]/g, '')"
+                   title="只能输入数字">
         </div>
         <hr>
         <div id="isNotExtendUrl">
@@ -183,7 +184,8 @@
         <div class="form-group">
           <label for="sortId" class="control-label x85">排序：</label>
            <input type="text"  id="sortId" name="sortId" size="30"
-                           value="${pojo.sortId!}"  data-rule="integer;"  placeholder="排序">
+                           value="${pojo.sortId!}"  data-rule="integer;"  placeholder="排序"  oninput="this.value = this.value.replace(/[^0-9]/g, '')"
+                  title="只能输入数字">
         </div>
        </div>
     </form>

src/main/resources/templates/cms/content_input.html

@@ -83,6 +83,7 @@
             <input type="text" name="title" id="j_title" class="input-nm measure-input" value="${content.title!,xss}"   placeholder="请填写标题" size="50"    >
 
         </div>
+
         <hr class="tc" style="margin-top: 3px!important;padding-top: 3px;margin-bottom: 3px!important;">
         <div class="form-group tc">
             <label for="j_keyword" class="control-label x85">关键字：</label>
@@ -151,14 +152,31 @@
         <hr class="tc" style="margin-top: 3px!important;padding-top: 3px;margin-bottom: 3px!important;">
         <div class="form-group tc">
             <label for="j_author" class="control-label x85">作者：</label>
-            <input type="text" name="author" id="j_author"  class="input-nm"   placeholder="文章作者" value="${isEmpty(content.author)?session.SysUser.username:content.author!,xss}"  size="20" data-rule="required;" >
+            <input type="text" name="author" id="j_author" class="input-nm"
+                   placeholder="文章作者" value="${isEmpty(content.author) ? session.SysUser.username : content.author!,xss}"
+                   size="20" data-rule="required;"
+                   oninput="this.value = this.value.replace(/[^a-zA-Z0-9\u4e00-\u9fa5]/g, '')"
+                   title="只能输入数字、英文和中文">
         </div>
+
+
+        <!--        <div class="form-group tc">-->
+<!--            <label for="j_title" class="control-label x85">标题：</label>-->
+<!--            <input type="text" name="title" id="j_title" class="input-nm measure-input"-->
+<!--                   value="${content.title!,xss}" placeholder="请填写标题" size="50"-->
+<!--                   oninput="this.value = this.value.replace(/[^a-zA-Z0-9\u4e00-\u9fa5]/g, '')"-->
+<!--                   title="只能输入汉字、英文和数字">-->
+<!--        </div>-->
         <hr class="tc" style="margin-top: 3px!important;padding-top: 3px;margin-bottom: 3px!important;">
         <div class="form-group">
             <label for="j_sorts" class="control-label x85">排序：</label>
-            <input type="text" name="sorts"  id="j_sorts"  size="20"
-                   value="${content.sorts!999}"  data-rule="integer;"  placeholder="排序">
+            <input type="text" name="sorts" id="j_sorts" size="20"
+                   value="${content.sorts!999}" placeholder="排序"
+                   oninput="this.value = this.value.replace(/[^0-9]/g, '')"
+                   title="只能输入数字">
         </div>
+
+
         <hr class="tc" style="margin-top: 3px!important;padding-top: 3px;margin-bottom: 3px!important;">
         <div class="form-group tc">
             <label  class="control-label x85">标签：</label>

src/main/resources/templates/cms/friend_link.html

@@ -94,6 +94,7 @@
 <div class="bjui-pageContent tableContent">
     <form  id="friend_link_form" class="pageForm" data-toggle="validate" method="post">
         <table id="friendLink" class="table table-bordered table-hover table-top" data-toggle="tabledit" data-initnum="0" data-action="${ctxPath}/system/cms/friendlink/save" data-single-noindex="true">
+            <code>
             <thead>
             <tr style="text-align: center">
                 <th align="center"  title="No"></th>
@@ -139,8 +140,8 @@
                 <td align="center">
                     @if(isNotEmpty(link.img)){
                     <span class="pic-box" style="margin-top:10px;">
-                    <img src="${link.img!}" height="25" width="80">
-                    </span>
+              <img src="${link.img!}" height="25" width="80">
+          </span>
                     @}
                 </td>
                 <td  align="center"  data-noedit="true">
@@ -151,9 +152,13 @@
             @}
 
             </tbody>
+            </code>
         </table>
+
     </form>
+
 </div>
+
 <div class="bjui-pageFooter">
     <div class="pages">
         <span>每页&nbsp;</span>

src/main/resources/templates/cms/topic_input.html

@@ -115,9 +115,12 @@
             </tr>
             <tr>
                 <td>
-                    <label for="sort_id" class="control-label x85">排序：</label>
-                    <input type="text" name="sortId" id="sort_id" value="${topic.sortId!,xss}" placeholder="排序" data-rule="required;"  size="25">
-                </td>
+                <label for="sort_id" class="control-label x85">排序：</label>
+                <input type="text" name="sortId" id="sort_id" value="${topic.sortId!,xss}" placeholder="排序" data-rule="required;"  size="25"
+                       oninput="this.value = this.value.replace(/[^0-9]/g, '')"
+                       title="只能输入数字">
+            </td>
+
             </tr>
             <tr>
                 <td>

src/main/resources/templates/system/login.html

@@ -185,5 +185,24 @@
         $('body').css('background-image', 'url(${ctxPath}/static/images/loginbg_0' + bg + '.jpg)');
     }
 </script>
+
+    <script>
+
+
+            document.getElementById('submit_btn').addEventListener('click', function () {
+                //获取页面密码
+                var passwordInput = document.getElementById('password');
+                // 在这里进行密码加密处理
+                var currentPassword = passwordInput.value;
+                var encryptedPassword = simpleEncrypt(currentPassword);
+                passwordInput.value = encryptedPassword;
+
+            // 简单的密码加密函数
+            function simpleEncrypt(password) {
+                return btoa(password);
+            }
+        });
+
+    </script>
 </body>
 </html>

src/main/resources/templates/system/organization_input.html

@@ -42,7 +42,8 @@
                 <td>
                     <label for="telPhone" class="control-label x85">联系电话：</label>
                     <input type="text" name="telPhone" id="telPhone" value="${org.telPhone!,xss}" placeholder="请填写部门联系电话！"  size="
-20" >
+20" oninput="this.value = this.value.replace(/[^0-9]/g, '')"
+                           title="只能输入数字" >
                 </td>
             </tr>
             <tr>