refactor: 统一ID类型为Long并优化代码安全性和性能

修复用户删除接口的ID类型从Integer改为Long
移除未使用的Bouncy Castle依赖
添加dompurify依赖增强XSS防护
修复SQL表定义中的bigintBIGINT语法错误
优化图片预览接口的安全检查和错误处理
添加Vditor渲染引擎预加载和图片懒加载
统一分组和文件接口的ID类型为Long
增强前端用户状态管理，添加token过期检查
优化Markdown内容渲染流程和图片URL处理

biji-houdaun/src/main/java/com/test/bijihoudaun/controller/GroupingController.java

@@ -52,11 +52,9 @@ public class GroupingController {
     @PreAuthorize("hasRole('ADMIN')")
     @PutMapping("/{id}")
     public R<Grouping> updateGrouping(
-            @PathVariable String id,
+            @PathVariable Long id,
             @RequestBody Grouping grouping) {
-
-        long l = Long.parseLong(id);
-        grouping.setId(l);
+        grouping.setId(id);
         Grouping updated = groupingService.updateGrouping(grouping);
         return R.success(updated);
     }
@@ -64,9 +62,8 @@ public class GroupingController {
     @Operation(summary = "删除分组")
     @PreAuthorize("hasRole('ADMIN')")
     @DeleteMapping("/{id}")
-    public R<Void> deleteGrouping(@PathVariable String id) {
-        Long idLong = Long.parseLong(id);
-        groupingService.deleteGrouping(idLong);
+    public R<Void> deleteGrouping(@PathVariable Long id) {
+        groupingService.deleteGrouping(id);
         return R.success();
     }
 }

biji-houdaun/src/main/java/com/test/bijihoudaun/controller/ImageController.java

@@ -81,43 +81,48 @@ public class ImageController {
     @Operation(summary = "在线预览", description = "浏览器直接打开文件流")
     @GetMapping("/preview/{url}")
     public void preview(@PathVariable String url, HttpServletResponse resp) throws IOException {
-        // 修复：使用 try-with-resources 确保 PrintWriter 关闭
-        try (PrintWriter writer = resp.getWriter()) {
-            if (StrUtil.isBlank(url)) {
-                resp.setStatus(404);
-                writer.write("{\"code\":404,\"msg\":\"文件不存在\",\"data\":null}");
-                return;
-            }
-            
-            String sanitizedUrl = sanitizeFileName(url);
-            if (sanitizedUrl == null) {
-                resp.setStatus(403);
-                writer.write("{\"code\":403,\"msg\":\"非法文件路径\",\"data\":null}");
-                return;
-            }
-            
-            Path basePath = Paths.get(rootPath).normalize().toAbsolutePath();
-            Path filePath = basePath.resolve(sanitizedUrl).normalize();
-            
-            if (!filePath.startsWith(basePath)) {
-                resp.setStatus(403);
-                writer.write("{\"code\":403,\"msg\":\"非法文件路径\",\"data\":null}");
-                return;
-            }
-            
-            File file = filePath.toFile();
-            if (!file.exists() || !file.isFile()) {
-                resp.setStatus(404);
-                writer.write("{\"code\":404,\"msg\":\"文件不存在\",\"data\":null}");
-                return;
-            }
-            
-            String contentTypeFromFileExtension = getContentTypeFromFileExtension(url);
-            resp.setContentType(contentTypeFromFileExtension);
-            resp.setContentLengthLong(file.length());
-            try (FileInputStream in = new FileInputStream(file)) {
-                StreamUtils.copy(in, resp.getOutputStream());
-            }
+        // 注意：不能同时调用 resp.getWriter() 和 resp.getOutputStream()
+        
+        if (StrUtil.isBlank(url)) {
+            resp.setStatus(404);
+            resp.setContentType("application/json;charset=UTF-8");
+            resp.getWriter().write("{\"code\":404,\"msg\":\"文件不存在\",\"data\":null}");
+            return;
+        }
+        
+        String sanitizedUrl = sanitizeFileName(url);
+        if (sanitizedUrl == null) {
+            resp.setStatus(403);
+            resp.setContentType("application/json;charset=UTF-8");
+            resp.getWriter().write("{\"code\":403,\"msg\":\"非法文件路径\",\"data\":null}");
+            return;
+        }
+        
+        Path basePath = Paths.get(rootPath).normalize().toAbsolutePath();
+        Path filePath = basePath.resolve(sanitizedUrl).normalize();
+        
+        if (!filePath.startsWith(basePath)) {
+            resp.setStatus(403);
+            resp.setContentType("application/json;charset=UTF-8");
+            resp.getWriter().write("{\"code\":403,\"msg\":\"非法文件路径\",\"data\":null}");
+            return;
+        }
+        
+        File file = filePath.toFile();
+        if (!file.exists() || !file.isFile()) {
+            resp.setStatus(404);
+            resp.setContentType("application/json;charset=UTF-8");
+            resp.getWriter().write("{\"code\":404,\"msg\":\"文件不存在\",\"data\":null}");
+            return;
+        }
+        
+        String contentTypeFromFileExtension = getContentTypeFromFileExtension(url);
+        resp.setContentType(contentTypeFromFileExtension);
+        resp.setContentLengthLong(file.length());
+        // 文件流直接输出，不使用 try-with-resources 包装整个方法
+        try (FileInputStream in = new FileInputStream(file)) {
+            StreamUtils.copy(in, resp.getOutputStream());
+            resp.getOutputStream().flush();
         }
     }
     
@@ -125,7 +130,9 @@ public class ImageController {
         if (StrUtil.isBlank(fileName)) {
             return null;
         }
-        if (fileName.contains("..") || fileName.contains("/") || fileName.contains("\\") || fileName.contains(":")) {
+        // 修复：使用白名单验证文件名格式（只允许 UUID 格式）
+        // 例如：550e8400-e29b-41d4-a716-446655440000.jpg
+        if (!fileName.matches("^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\\.[a-zA-Z0-9]+$")) {
             return null;
         }
         return fileName;
@@ -162,6 +169,7 @@ public class ImageController {
         }
 
         String extension = fileName.substring(fileName.lastIndexOf('.') + 1).toLowerCase();
+        // 使用更安全的 MIME 类型映射，只允许图片类型
         switch (extension) {
             case "jpg":
             case "jpeg":
@@ -177,8 +185,27 @@ public class ImageController {
             case "svg":
                 return "image/svg+xml";
             default:
+                // 对于未知的扩展名，返回通用的二进制流类型，避免执行风险
                 return "application/octet-stream";
         }
     }
+    
+    /**
+     * 验证文件是否为允许的图片类型
+     * @param contentType 文件内容类型
+     * @return 是否允许
+     */
+    private boolean isAllowedImageType(String contentType) {
+        if (StrUtil.isBlank(contentType)) {
+            return false;
+        }
+        // 只允许标准的图片 MIME 类型
+        return contentType.equals("image/jpeg") ||
+               contentType.equals("image/png") ||
+               contentType.equals("image/gif") ||
+               contentType.equals("image/bmp") ||
+               contentType.equals("image/webp") ||
+               contentType.equals("image/svg+xml");
+    }
 
 }

biji-houdaun/src/main/java/com/test/bijihoudaun/controller/MarkdownController.java

@@ -85,7 +85,7 @@ public class MarkdownController {
     
     @Operation(summary = "根据分组ID获取Markdown文件")
     @GetMapping("/grouping/{groupingId}")
-    public R<List<MarkdownFileVO>> getFilesByGroupingId(@PathVariable String groupingId) {
+    public R<List<MarkdownFileVO>> getFilesByGroupingId(@PathVariable Long groupingId) {
         List<MarkdownFileVO> files = markdownFileService.getFilesByGroupingId(groupingId);
         return R.success(files);
     }

biji-houdaun/src/main/java/com/test/bijihoudaun/controller/UserController.java

@@ -112,7 +112,7 @@ public class UserController {
             return R.fail("无法获取用户信息，删除失败");
         }
 
-        userService.deleteUser(user.getId().intValue());
+        userService.deleteUser(user.getId());
         return R.success("用户删除成功");
     }