修正用户列表选择的selectData变量可能造成XSS漏洞

modules/core/src/main/java/com/jeesite/modules/sys/web/user/EmpUserController.java

@@ -22,12 +22,14 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.multipart.MultipartFile;
 
+import com.jeesite.common.codec.EncodeUtils;
 import com.jeesite.common.collect.ListUtils;
 import com.jeesite.common.collect.MapUtils;
 import com.jeesite.common.config.Global;
 import com.jeesite.common.entity.Page;
 import com.jeesite.common.lang.DateUtils;
 import com.jeesite.common.lang.StringUtils;
+import com.jeesite.common.mapper.JsonMapper;
 import com.jeesite.common.utils.excel.ExcelExport;
 import com.jeesite.common.utils.excel.annotation.ExcelField.Type;
 import com.jeesite.common.web.BaseController;
@@ -382,7 +384,10 @@ public class EmpUserController extends BaseController {
 	@RequiresPermissions("user")
 	@RequestMapping(value = "empUserSelect")
 	public String empUserSelect(EmpUser empUser, String selectData, String checkbox, Model model) {
-		model.addAttribute("selectData", selectData); // 指定默认选中的ID
+		String selectDataJson = EncodeUtils.decodeUrl(selectData);
+		if (JsonMapper.fromJson(selectDataJson, Map.class) != null){
+			model.addAttribute("selectData", selectDataJson);
+		}
 		model.addAttribute("checkbox", checkbox); // 是否显示复选框，支持多选
 		model.addAttribute("empUser", empUser); // ModelAttribute
 		return "modules/sys/user/empUserSelect";

modules/core/src/main/resources/views/modules/sys/user/empUserSelect.html

@@ -77,7 +77,7 @@
 </div>
 <% } %>
 <script>
-var selectData = JSON.parse(js.decodeUrl('${isNotBlank(selectData!) ? selectData! : "{\}"}')),
+var selectData = ${isNotBlank(selectData!) ? selectData! : "{\}"},
 selectNum = 0, dataGrid = $('#dataGrid').dataGrid({
 	searchForm: $("#searchForm"),
 	columnModel: [