update to validate the input for the injection attack

@@ -3,7 +3,8 @@
  * @author: bikai<kai.bi@yoho.cn>
  * @date: 2015/10/28
  */
-var $ = require('jquery');
+var $ = require('jquery'),
+    security = require('../plugin/security');
 
 var $searchBox = $('.search-box'),
     $box = $('.box'),
@@ -43,6 +44,9 @@ $searchBox.children('.clear-text').on('touchstart', function() {
 });
 
 $searchBox.children('.search-icon').on('touchstart', function() {
+    if (security.hasDangerInput()) {
+      return false;
+    }
     $indexSearch.submit();
 });
 

@@ -5,6 +5,7 @@
  */
 
 var $ = require('jquery'),
+    security = require('../plugin/security'),
     Hammer = require('yoho.hammer');
 
 var $input = $('#search-input input');
@@ -47,6 +48,9 @@ cHammer.on('tap', function() {
 });
 
 $('#search').on('touchend', function() {
+    if (security.hasDangerInput()) {
+      return false;
+    }
     $(this).closest('form').submit();
     return false;
 });
@@ -78,4 +82,4 @@ $('#search').on('touchend', function() {
     }
 }());
 
-writeSearch.bindWirteLocal($form);
\ No newline at end of file
+writeSearch.bindWirteLocal($form);

@@ -7,6 +7,7 @@
 var $ = require('jquery'),
     Hammer = require('yoho.hammer'),
     tip = require('../plugin/tip'),
+    security = require('../plugin/security'),
     loading = require('../plugin/loading');
 
 var $action = $('.action'),
@@ -102,6 +103,10 @@ $addressForm.on('submit', function() {
         return false;
     }
 
+    if (security.hasDangerInput(false)){
+        return false;
+    }
+
     // 简单的表单校验
     if (!$(this).find('[name="consignee"]').val()) {
         tip.show('收件人不能为空');
@@ -243,4 +248,4 @@ $('input, textarea').on('focus', function() {
     $footer.hide();
 }).on('blur', function() {
     $footer.show();
-});
\ No newline at end of file
+});

+/**
+ * 校验input, 防止SQL注入
+ * @author: 赵彪<bill.zhao@yoho.cn>
+ * @date: 2015/11/30
+ */
+
+var $ = require('jquery'),
+    tip = require('./tip');
+
+/**
+ * hasStrangeInput() return true when input have danger value
+ *
+ * @param {Bool} needConvert Set if the danger input value should be converted to space
+ * @return {Bool} true/false If the input have danger value
+ */
+function hasDangerInput(needConvert) {
+  var validationPartten = /['"<>&\|]|--/g;
+  var inputs = $('input[type!=hidden], textarea');
+  var inputsLength = inputs.length;
+
+  // to set if the input value should be coverted, and its default value is true;
+  var willConvert = needConvert === undefined || typeof needConvert !== 'boolean' ? true : needConvert ;
+
+  for (var i = 0; i < inputsLength; i++) {
+    var val = inputs.eq(i).val();
+    if (validationPartten.test(val)) {
+      if (willConvert) {
+        inputs.eq(i).val(val.replace(validationPartten, ' '));
+      } else{
+        var matchChars = val.match(validationPartten).join(' ');
+        tip.show('不可以输入 ' + matchChars + ' 哦!');
+      }
+      return !willConvert && true;
+    }
+  }
+
+  return false;
+}
+
+
+exports.hasDangerInput = hasDangerInput;