修复过滤文档全文搜索的一个XSS攻击语句

2021-01-28 21:05:15 +08:00 · 2021-01-28 21:05:15 +08:00 · 590f1302bd
commit 590f1302bd
parent 148421fd3b
2 changed files with 4 additions and 31 deletions
--- a/app_doc/views_search.py
+++ b/app_doc/views_search.py
@ -72,20 +72,16 @@ class DocSearchView(SearchView):
            ).filter(
                modify_time__gte=start_date,
                modify_time__lte=end_date).order_by('-modify_time')
-            self.form = self.build_form(form_kwargs={'searchqueryset':sqs})
-            self.query = self.get_query()
-            self.results = self.get_results()
-            return self.create_response()
        else:
            sqs = SearchQuerySet().filter(
                top_doc__in=None
            ).filter(
                modify_time__gte=start_date,
                modify_time__lte=end_date).order_by('-modify_time')
-            self.form = self.build_form(form_kwargs={'searchqueryset': sqs})
-            self.query = self.get_query()
-            self.results = self.get_results()
-            return self.create_response()
+        self.form = self.build_form(form_kwargs={'searchqueryset': sqs})
+        self.query = self.get_query().replace("\n",'').replace("\r",'')
+        self.results = self.get_results()
+        return self.create_response()

    def extra_context(self):
        context = {
--- a/template/search/search.html
+++ b/template/search/search.html
@ -270,29 +270,6 @@
            layui.form.render('select');
        });

-        // 搜索词高亮
-        function keyLight(id, key, bgColor){
-            var oDiv = document.getElementById(id),
-            sText = oDiv.innerHTML,
-            bgColor = bgColor || "#c00",    
-            sKey = "<span name='addSpan' style='color: "+bgColor+";'>"+key+"</span>",
-            num = -1,
-            rStr = new RegExp(key, "ig"),
-            rHtml = new RegExp("\<.*?\>","ig"), //匹配html元素
-            aHtml = sText.match(rHtml); //存放html元素的数组
-            sText = sText.replace(rHtml, '{~}');  //替换html标签
-            // sText = sText.replace(rStr,sKey); //替换key
-            sText = sText.replace(rStr,function(text){
-                return "<span name='addSpan' style='color: "+bgColor+";'>"+text+"</span>"
-            }); //替换key
-            sText = sText.replace(/{~}/g,function(){  //恢复html标签
-                    num++;
-                    return aHtml[num];
-            });
-            oDiv.innerHTML = sText;
-        };
-        // keyLight('search_result',"{{query}}")
-
        // 侦听Select下拉框的选择事件
        form.on('select()', function(data){
            var filter_data = form.val("filter-time-form");