wzj/Mrdoc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

优化文档名称的XSS过滤

Browse Source
This commit is contained in:
zmister 2021-09-07 23:48:06 +08:00
parent 00c26e9c7c
commit d2eda66cb7
3 changed files with 52 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
app_doc/views.py
View File

@ -36,6 +36,53 @@ import hashlib
import markdown import markdown
# HTML转义
def jsonXssFilter(data):
payloads = {
'\'':''',
'"':'"',
'<':'&lt;',
'>':'&gt;'
}
if type(data) == dict:
new = {}
for key,values in data.items():
new[key] = jsonXssFilter(values)
elif type(data) == list:
new = []
for i in data:
new.append(jsonXssFilter(i))
elif type(data) == int or type(data) == float:
new = data
elif type(data) == str:
new = data
for key,value in payloads.items():
new = new.replace(key,value)
elif type(data) ==bytes:
new = data
else:
print('>>> unknown type:')
print(type(data))
new = data
return new
def html_filter(data):
if len(data) == 0:
return ""
payloads = {
'\'':'&apos;',
'"':'&quot;',
'<':'&lt;',
'>':'&gt;'
}
new = data
for key, value in payloads.items():
new = new.replace(key, value)
print(new)
return new
# 替换前端传来的非法字符 # 替换前端传来的非法字符
def validateTitle(title): def validateTitle(title):
rstr = r"[\/\\\:\*\?\"\<\>\|\[\]]" # '/ \ : * ? " < > |' rstr = r"[\/\\\:\*\?\"\<\>\|\[\]]" # '/ \ : * ? " < > |'
@ -2071,6 +2118,7 @@ def get_pro_doc_tree(request):
# 如果一级文档没有下级文档,直接保存 # 如果一级文档没有下级文档,直接保存
else: else:
doc_list.append(top_item) doc_list.append(top_item)
doc_list = jsonXssFilter(doc_list)
return JsonResponse({'status':True,'data':doc_list}) return JsonResponse({'status':True,'data':doc_list})
else: else:
return JsonResponse({'status':False,'data':_('参数错误')}) return JsonResponse({'status':False,'data':_('参数错误')})

4
template/app_admin/admin_doc.html
View File

@ -66,11 +66,11 @@
{% verbatim %} {% verbatim %}
{{#if (d.status == 1) { }} {{#if (d.status == 1) { }}
<span class="layui-badge-dot layui-bg-blue"></span> <span class="layui-badge-dot layui-bg-blue"></span>
<a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{d.name}}</a> <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{=d.name}}</a>
{{# }else if(d.status == 0){ }} {{# }else if(d.status == 0){ }}
<!-- <i class="layui-icon layui-icon-release" style="cursor: pointer;" onclick="fastPubDoc('{{d.id}}')" title="草稿状态,点击一键发布"></i>&nbsp; --> <!-- <i class="layui-icon layui-icon-release" style="cursor: pointer;" onclick="fastPubDoc('{{d.id}}')" title="草稿状态,点击一键发布"></i>&nbsp; -->
<span class="layui-badge-dot layui-bg-orange"></span> <span class="layui-badge-dot layui-bg-orange"></span>
<a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档:{{d.name}}">{{ d.name }} </a> <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档:{{=d.name}}">{{=d.name}} </a>
{{# } }} {{# } }}
{{#if (d.editor_mode in [1,2,3]) { }} {{#if (d.editor_mode in [1,2,3]) { }}
<i class="layui-icon layui-icon-form" title="普通文档"</i> <i class="layui-icon layui-icon-form" title="普通文档"</i>

4
template/app_doc/manage/manage_doc.html
View File

@ -77,10 +77,10 @@
{% verbatim %} {% verbatim %}
{{#if (d.status == 1) { }} {{#if (d.status == 1) { }}
<span class="layui-badge-dot layui-bg-blue"></span> <span class="layui-badge-dot layui-bg-blue"></span>
<a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{d.name}}</a> <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{=d.name}}</a>
{{# }else if(d.status == 0){ }} {{# }else if(d.status == 0){ }}
<span class="layui-badge-dot layui-bg-orange"></span> <span class="layui-badge-dot layui-bg-orange"></span>
<a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档:{{d.name}}">{{ d.name }} </a> <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档:{{=d.name}}">{{=d.name}} </a>
{{# } }} {{# } }}
{{#if (d.editor_mode in [1,2,3]) { }} {{#if (d.editor_mode in [1,2,3]) { }}
<i class="layui-icon layui-icon-form" title="普通文档"</i> <i class="layui-icon layui-icon-form" title="普通文档"</i>