Merge branch 'master' of https://gitee.com/y_project/RuoYi-Vue into dev

 Conflicts:

	pom.xml

	ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java

	ruoyi-system/src/main/java/com/ruoyi/system/domain/SysNotice.java

	ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java

ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java

@@ -4,6 +4,7 @@ import com.baomidou.mybatisplus.annotation.*;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.ruoyi.common.core.domain.BaseEntity;
+import com.ruoyi.common.xss.Xss;
 import io.swagger.annotations.ApiModel;
 import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
@@ -48,15 +49,17 @@ public class SysUser extends BaseEntity {
 	 * 用户账号
 	 */
 	@ApiModelProperty(value = "用户账号")
-	@NotBlank(message = "用户账号不能为空")
+    @Xss(message = "用户账号不能包含脚本字符")
+    @NotBlank(message = "用户账号不能为空")
 	@Size(min = 0, max = 30, message = "用户账号长度不能超过30个字符")
 	private String userName;
 
 	/**
 	 * 用户昵称
 	 */
-	@ApiModelProperty(value = "用户昵称")
-	@Size(min = 0, max = 30, message = "用户昵称长度不能超过30个字符")
+    @ApiModelProperty(value = "用户昵称")
+    @Xss(message = "用户昵称不能包含脚本字符")
+    @Size(min = 0, max = 30, message = "用户昵称长度不能超过30个字符")
 	private String nickName;
 
 	/**

ruoyi-common/src/main/java/com/ruoyi/common/utils/bean/BeanValidators.java

@@ -0,0 +1,24 @@
+package com.ruoyi.common.utils.bean;
+
+import java.util.Set;
+import javax.validation.ConstraintViolation;
+import javax.validation.ConstraintViolationException;
+import javax.validation.Validator;
+
+/**
+ * bean对象属性验证
+ * 
+ * @author ruoyi
+ */
+public class BeanValidators
+{
+    public static void validateWithException(Validator validator, Object object, Class<?>... groups)
+            throws ConstraintViolationException
+    {
+        Set<ConstraintViolation<Object>> constraintViolations = validator.validate(object, groups);
+        if (!constraintViolations.isEmpty())
+        {
+            throw new ConstraintViolationException(constraintViolations);
+        }
+    }
+}

ruoyi-common/src/main/java/com/ruoyi/common/xss/Xss.java

@@ -0,0 +1,27 @@
+package com.ruoyi.common.xss;
+
+import javax.validation.Constraint;
+import javax.validation.Payload;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * 自定义xss校验注解
+ * 
+ * @author ruoyi
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(value = { ElementType.METHOD, ElementType.FIELD, ElementType.CONSTRUCTOR, ElementType.PARAMETER })
+@Constraint(validatedBy = { XssValidator.class })
+public @interface Xss
+{
+    String message()
+
+    default "不允许任何脚本运行";
+
+    Class<?>[] groups() default {};
+
+    Class<? extends Payload>[] payload() default {};
+}

ruoyi-common/src/main/java/com/ruoyi/common/xss/XssValidator.java

@@ -0,0 +1,29 @@
+package com.ruoyi.common.xss;
+
+import javax.validation.ConstraintValidator;
+import javax.validation.ConstraintValidatorContext;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * 自定义xss校验注解实现
+ * 
+ * @author ruoyi
+ */
+public class XssValidator implements ConstraintValidator<Xss, String>
+{
+    private final String HTML_PATTERN = "<(\\S*?)[^>]*>.*?|<.*? />";
+
+    @Override
+    public boolean isValid(String value, ConstraintValidatorContext constraintValidatorContext)
+    {
+        return !containsHtml(value);
+    }
+
+    public boolean containsHtml(String value)
+    {
+        Pattern pattern = Pattern.compile(HTML_PATTERN);
+        Matcher matcher = pattern.matcher(value);
+        return matcher.matches();
+    }
+}

ruoyi-system/src/main/java/com/ruoyi/system/domain/SysNotice.java

@@ -3,6 +3,7 @@ package com.ruoyi.system.domain;
 import com.baomidou.mybatisplus.annotation.TableId;
 import com.baomidou.mybatisplus.annotation.TableName;
 import com.ruoyi.common.core.domain.BaseEntity;
+import com.ruoyi.common.xss.Xss;
 import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
 import lombok.EqualsAndHashCode;
@@ -11,6 +12,7 @@ import lombok.experimental.Accessors;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.Size;
 
+
 /**
  * 通知公告表 sys_notice
  *
@@ -32,6 +34,7 @@ public class SysNotice extends BaseEntity {
     /**
      * 公告标题
      */
+    @Xss(message = "公告标题不能包含脚本字符")
     @ApiModelProperty(value = "公告标题")
     @NotBlank(message = "公告标题不能为空")
     @Size(min = 0, max = 50, message = "公告标题不能超过50个字符")