From ad292502a91271cbaf60e83cb7b7ce7c4b2be13e Mon Sep 17 00:00:00 2001
From: thinkgem <thinkgem@163.com>
Date: Sat, 11 May 2024 15:28:01 +0800
Subject: [PATCH] skinName add xssFilter

---
 .../main/java/com/jeesite/modules/sys/web/LoginController.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java b/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java
index c4721e29..e44bf79a 100644
--- a/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java
+++ b/modules/core/src/main/java/com/jeesite/modules/sys/web/LoginController.java
@@ -5,6 +5,7 @@
 package com.jeesite.modules.sys.web;
 
 import com.fasterxml.jackson.annotation.JsonView;
+import com.jeesite.common.codec.EncodeUtils;
 import com.jeesite.common.config.Global;
 import com.jeesite.common.lang.StringUtils;
 import com.jeesite.common.shiro.filter.FormFilter;
@@ -397,7 +398,7 @@ public class LoginController extends BaseController{
 	@RequestMapping(value = "switchSkin/{skinName}")
 	public String switchSkin(@PathVariable String skinName, HttpServletRequest request, HttpServletResponse response) {
 		if (StringUtils.isNotBlank(skinName) && !"select".equals(skinName)){
-			CookieUtils.setCookie(response, "skinName", skinName);
+			CookieUtils.setCookie(response, "skinName", EncodeUtils.encodeUrl(EncodeUtils.xssFilter(skinName, request)));
 			if (ServletUtils.isAjaxRequest(request)) {
 				return renderResult(response, Global.TRUE, text("主题切换成功"));
 			}