update to validate the input for the injection attack

biao
Commit 6881729679ee0ef4804aafbeb50e8c877beb8c1f 1 parent 12a1f997
Showing 4 changed files with 57 additions and 3 deletions
static/js/index/channel.js
static/js/index/search.js
static/js/me/address.js
static/js/plugin/security.js
--- a/static/js/index/channel.js
View file @6881729
+++ b/static/js/index/channel.js
View file @6881729
@@ -3,7 +3,8 @@
  * @author: bikai<kai.bi@yoho.cn>
  * @date: 2015/10/28
  */
- var $ = require('jquery');
+ var $ = require('jquery'),
+     security = require('../plugin/security');
 
 var $searchBox = $('.search-box'),
     $box = $('.box'),
@@ -43,6 +44,9 @@ $searchBox.children('.clear-text').on('touchstart', function() {
 });
 
 $searchBox.children('.search-icon').on('touchstart', function() {
+     if (security.hasDangerInput()) {
+       return false;
+     }
     $indexSearch.submit();
 });
 
--- a/static/js/index/search.js
View file @6881729
+++ b/static/js/index/search.js
View file @6881729
@@ -5,6 +5,7 @@
  */
 
 var $ = require('jquery'),
+     security = require('../plugin/security'),
     Hammer = require('yoho.hammer');
 
 var $input = $('#search-input input');
@@ -47,6 +48,9 @@ cHammer.on('tap', function() {
 });
 
 $('#search').on('touchend', function() {
+     if (security.hasDangerInput()) {
+       return false;
+     }
     $(this).closest('form').submit();
     return false;
 });
@@ -78,4 +82,4 @@ $('#search').on('touchend', function() {
     }
 }());
 
- writeSearch.bindWirteLocal($form);
\ No newline at end of file
+ writeSearch.bindWirteLocal($form);
--- a/static/js/me/address.js
View file @6881729
+++ b/static/js/me/address.js
View file @6881729
@@ -7,6 +7,7 @@
 var $ = require('jquery'),
     Hammer = require('yoho.hammer'),
     tip = require('../plugin/tip'),
+     security = require('../plugin/security'),
     loading = require('../plugin/loading');
 
 var $action = $('.action'),
@@ -102,6 +103,10 @@ $addressForm.on('submit', function() {
         return false;
     }
 
+     if (security.hasDangerInput(false)){
+         return false;
+     }
+ 
     // 简单的表单校验
     if (!$(this).find('[name="consignee"]').val()) {
         tip.show('收件人不能为空');
@@ -243,4 +248,4 @@ $('input, textarea').on('focus', function() {
     $footer.hide();
 }).on('blur', function() {
     $footer.show();
- });
\ No newline at end of file
+ });
--- a/static/js/plugin/security.js 0 → 100644
View file @6881729
+++ b/static/js/plugin/security.js 0 → 100644
View file @6881729
+ /**
+  * 校验input, 防止SQL注入
+  * @author: 赵彪<bill.zhao@yoho.cn>
+  * @date: 2015/11/30
+  */
+ 
+ var $ = require('jquery'),
+     tip = require('./tip');
+ 
+ /**
+  * hasStrangeInput() return true when input have danger value
+  *
+  * @param {Bool} needConvert Set if the danger input value should be converted to space
+  * @return {Bool} true/false If the input have danger value
+  */
+ function hasDangerInput(needConvert) {
+   var validationPartten = /['"<>&\|]|--/g;
+   var inputs = $('input[type!=hidden], textarea');
+   var inputsLength = inputs.length;
+ 
+   // to set if the input value should be coverted, and its default value is true;
+   var willConvert = needConvert === undefined || typeof needConvert !== 'boolean' ? true : needConvert ;
+ 
+   for (var i = 0; i < inputsLength; i++) {
+     var val = inputs.eq(i).val();
+     if (validationPartten.test(val)) {
+       if (willConvert) {
+         inputs.eq(i).val(val.replace(validationPartten, ' '));
+       } else{
+         var matchChars = val.match(validationPartten).join(' ');
+         tip.show('不可以输入 ' + matchChars + ' 哦!');
+       }
+       return !willConvert && true;
+     }
+   }
+ 
+   return false;
+ }
+ 
+ 
+ exports.hasDangerInput = hasDangerInput;