feat(system): 优化消息内容过滤和 XSS 防护

- 修改 XSS 过滤器，只针对指定 URL 进行过滤- 移除 MessagesBo 中的 EqualsAndHashCode 和 AutoMapper 注解
- 在 MessagesController 中移除内容验证逻辑
- 在 MessagesServiceImpl 中添加 HTML 内容过滤方法
- 在 MessagesVo 中添加 contentText 字段用于显示过滤后的内容
- 优化 NotificationUtils 中的消息插入逻辑

ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/config/FilterConfig.java

@@ -21,11 +21,15 @@ public class FilterConfig {
 
     @Bean
     @ConditionalOnProperty(value = "xss.enabled", havingValue = "true")
-    public FilterRegistrationBean<XssFilter> xssFilterRegistration() {
+    public FilterRegistrationBean<XssFilter> xssFilterRegistration(XssProperties xssProperties) {
         FilterRegistrationBean<XssFilter> registration = new FilterRegistrationBean<>();
         registration.setDispatcherTypes(DispatcherType.REQUEST);
         registration.setFilter(new XssFilter());
-        registration.addUrlPatterns("/*");
+
+        // 只针对指定的URL进行过滤
+        registration.addUrlPatterns("/api/messages/*");
+        registration.addUrlPatterns("/api/notice/*");
+
         registration.setName("xssFilter");
         registration.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE + 1);
         return registration;

ruoyi-modules/ruoyi-system/src/main/java/org/dromara/business/controller/MessagesController.java

@@ -76,7 +76,6 @@ public class MessagesController extends BaseController {
     @RepeatSubmit()
     @PostMapping()
     public R<Void> add(@Validated(AddGroup.class) @RequestBody MessagesBo bo) {
-        String content = bo.getContent();
         return toAjax(messagesService.insertByBo(bo));
     }
 

ruoyi-modules/ruoyi-system/src/main/java/org/dromara/business/domain/bo/MessagesBo.java

@@ -18,8 +18,6 @@ import java.util.Date;
  * @date 2025-07-10
  */
 @Data
-@EqualsAndHashCode(callSuper = true)
-@AutoMapper(target = MessagesInfo.class, reverseConvertGenerate = false)
 public class MessagesBo extends BaseEntity {
 
     /**

ruoyi-modules/ruoyi-system/src/main/java/org/dromara/business/domain/vo/MessagesVo.java

@@ -89,4 +89,7 @@ public class MessagesVo implements Serializable {
      */
     private String createName;
 
+
+    @ExcelProperty(value = "消息内容text")
+    private String contentText;
 }

ruoyi-modules/ruoyi-system/src/main/java/org/dromara/business/service/impl/MessagesServiceImpl.java

@@ -74,6 +74,10 @@ public class MessagesServiceImpl implements IMessagesService {
 
             String receiverType = record.getReceiverType();
             record.setReceiverType(ReceiverTypeEnum.getDescriptionByCode(receiverType));
+
+            String contentText=replaceHtml(record.getContent());
+            record.setContentText(contentText);
+
         }
         return TableDataInfo.build(result);
     }
@@ -156,4 +160,14 @@ public class MessagesServiceImpl implements IMessagesService {
         }
         return baseMapper.deleteMessageById(ids) > 0;
     }
+
+
+    public static String replaceHtml(String html) {
+        if (html == null || html.isEmpty()) {
+            return "";
+        }
+        // 正则表达式移除所有的HTML标签
+        return html.replaceAll("<[^>]*>", "");
+    }
+
 }

ruoyi-modules/ruoyi-system/src/main/java/org/dromara/business/utils/NotificationUtils.java

@@ -47,7 +47,6 @@ public class NotificationUtils {
             bo.setMessageType(messageType);
             bo.setStatus(MessageStatusEnum.SENT.getCode());
             bo.setSendName(sendName);
-
             log.debug("插入主消息内容：{}", bo);
             messagesInfoMapper.insertMessage(bo);
             Long messageId = bo.getId();