From 3bbc662b390fb3abccf30375585aa9a64c0eb9b1 Mon Sep 17 00:00:00 2001
From: smallchill <smallchill@163.com>
Date: Mon, 22 Feb 2021 23:02:26 +0800
Subject: [PATCH] =?UTF-8?q?:zap:=20xss=E8=BF=87=E6=BB=A4=E5=A2=9E=E5=BC=BA?=
 =?UTF-8?q?=E9=80=9A=E9=85=8D=E7=AC=A6=E5=8C=B9=E9=85=8D=E9=80=BB=E8=BE=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../springblade/core/tool/support/xss/XssFilter.java  | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/blade-core-tool/src/main/java/org/springblade/core/tool/support/xss/XssFilter.java b/blade-core-tool/src/main/java/org/springblade/core/tool/support/xss/XssFilter.java
index cab3e79..80221de 100644
--- a/blade-core-tool/src/main/java/org/springblade/core/tool/support/xss/XssFilter.java
+++ b/blade-core-tool/src/main/java/org/springblade/core/tool/support/xss/XssFilter.java
@@ -16,7 +16,7 @@
 package org.springblade.core.tool.support.xss;
 
 import lombok.AllArgsConstructor;
-import org.springblade.core.tool.utils.StringPool;
+import org.springframework.util.AntPathMatcher;
 
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
@@ -30,8 +30,9 @@ import java.io.IOException;
 @AllArgsConstructor
 public class XssFilter implements Filter {
 
-	private XssProperties xssProperties;
-	private XssUrlProperties xssUrlProperties;
+	private final XssProperties xssProperties;
+	private final XssUrlProperties xssUrlProperties;
+	private final AntPathMatcher antPathMatcher = new AntPathMatcher();
 
 	@Override
 	public void init(FilterConfig config) {
@@ -50,8 +51,8 @@ public class XssFilter implements Filter {
 	}
 
 	private boolean isSkip(String path) {
-		return (xssUrlProperties.getExcludePatterns().stream().anyMatch(path::startsWith))
-			|| (xssProperties.getSkipUrl().stream().map(url -> url.replace("/**", StringPool.EMPTY)).anyMatch(path::startsWith));
+		return (xssUrlProperties.getExcludePatterns().stream().anyMatch(pattern -> antPathMatcher.match(pattern, path)))
+			|| (xssProperties.getSkipUrl().stream().anyMatch(pattern -> antPathMatcher.match(pattern, path)));
 	}
 
 	@Override