From 0e67815b8d7a3a4422a5f8dcf0f395d6f94d4695 Mon Sep 17 00:00:00 2001
From: thinkgem <thinkgem@163.com>
Date: Thu, 9 Aug 2018 22:45:19 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=AD=A3=E7=94=A8=E6=88=B7=E5=88=97?=
 =?UTF-8?q?=E8=A1=A8=E9=80=89=E6=8B=A9=E7=9A=84selectData=E5=8F=98?=
 =?UTF-8?q?=E9=87=8F=E5=8F=AF=E8=83=BD=E9=80=A0=E6=88=90XSS=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../main/java/com/jeesite/common/codec/EncodeUtils.java    | 4 +++-
 .../jeesite/modules/sys/web/user/EmpUserController.java    | 7 ++++++-
 .../resources/views/modules/sys/user/empUserSelect.html    | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
index d461b25a..39a85b3b 100644
--- a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
+++ b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
@@ -167,7 +167,9 @@ public class EncodeUtils {
 	 * URL 解码, Encode默认为UTF-8. 
 	 */
 	public static String decodeUrl(String part, String encoding) {
-
+		if (part == null){
+			return null;
+		}
 		try {
 			return URLDecoder.decode(part, encoding);
 		} catch (UnsupportedEncodingException e) {
diff --git a/modules/core/src/main/java/com/jeesite/modules/sys/web/user/EmpUserController.java b/modules/core/src/main/java/com/jeesite/modules/sys/web/user/EmpUserController.java
index 35b85f2f..9785833c 100644
--- a/modules/core/src/main/java/com/jeesite/modules/sys/web/user/EmpUserController.java
+++ b/modules/core/src/main/java/com/jeesite/modules/sys/web/user/EmpUserController.java
@@ -22,12 +22,14 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.multipart.MultipartFile;
 
+import com.jeesite.common.codec.EncodeUtils;
 import com.jeesite.common.collect.ListUtils;
 import com.jeesite.common.collect.MapUtils;
 import com.jeesite.common.config.Global;
 import com.jeesite.common.entity.Page;
 import com.jeesite.common.lang.DateUtils;
 import com.jeesite.common.lang.StringUtils;
+import com.jeesite.common.mapper.JsonMapper;
 import com.jeesite.common.utils.excel.ExcelExport;
 import com.jeesite.common.utils.excel.annotation.ExcelField.Type;
 import com.jeesite.common.web.BaseController;
@@ -382,7 +384,10 @@ public class EmpUserController extends BaseController {
 	@RequiresPermissions("user")
 	@RequestMapping(value = "empUserSelect")
 	public String empUserSelect(EmpUser empUser, String selectData, String checkbox, Model model) {
-		model.addAttribute("selectData", selectData); // 指定默认选中的ID
+		String selectDataJson = EncodeUtils.decodeUrl(selectData);
+		if (JsonMapper.fromJson(selectDataJson, Map.class) != null){
+			model.addAttribute("selectData", selectDataJson);
+		}
 		model.addAttribute("checkbox", checkbox); // 是否显示复选框，支持多选
 		model.addAttribute("empUser", empUser); // ModelAttribute
 		return "modules/sys/user/empUserSelect";
diff --git a/modules/core/src/main/resources/views/modules/sys/user/empUserSelect.html b/modules/core/src/main/resources/views/modules/sys/user/empUserSelect.html
index b7022f96..1898c765 100644
--- a/modules/core/src/main/resources/views/modules/sys/user/empUserSelect.html
+++ b/modules/core/src/main/resources/views/modules/sys/user/empUserSelect.html
@@ -77,7 +77,7 @@
 </div>
 <% } %>
 <script>
-var selectData = JSON.parse(js.decodeUrl('${isNotBlank(selectData!) ? selectData! : "{\}"}')),
+var selectData = ${isNotBlank(selectData!) ? selectData! : "{\}"},
 selectNum = 0, dataGrid = $('#dataGrid').dataGrid({
 	searchForm: $("#searchForm"),
 	columnModel: [