fe / YOHOBUYWAP · Commits

Go to a project

Authored by biao
Commit 6881729679ee0ef4804aafbeb50e8c877beb8c1f 1 parent 12a1f997

update to validate the input for the injection attack

Inline Side-by-side
Showing 4 changed files with 55 additions and 1 deletions
@@ -3,7 +3,8 @@ @@ -3,7 +3,8 @@
3 * @author: bikai<kai.bi@yoho.cn> 3 * @author: bikai<kai.bi@yoho.cn>
4 * @date: 2015/10/28 4 * @date: 2015/10/28
5 */ 5 */
6 -var $ = require('jquery'); 6 +var $ = require('jquery'),
  7 + security = require('../plugin/security');
7 8
8 var $searchBox = $('.search-box'), 9 var $searchBox = $('.search-box'),
9 $box = $('.box'), 10 $box = $('.box'),
@@ -43,6 +44,9 @@ $searchBox.children('.clear-text').on('touchstart', function() { @@ -43,6 +44,9 @@ $searchBox.children('.clear-text').on('touchstart', function() {
43 }); 44 });
44 45
45 $searchBox.children('.search-icon').on('touchstart', function() { 46 $searchBox.children('.search-icon').on('touchstart', function() {
  47 + if (security.hasDangerInput()) {
  48 + return false;
  49 + }
46 $indexSearch.submit(); 50 $indexSearch.submit();
47 }); 51 });
48 52
@@ -5,6 +5,7 @@ @@ -5,6 +5,7 @@
5 */ 5 */
6 6
7 var $ = require('jquery'), 7 var $ = require('jquery'),
  8 + security = require('../plugin/security'),
8 Hammer = require('yoho.hammer'); 9 Hammer = require('yoho.hammer');
9 10
10 var $input = $('#search-input input'); 11 var $input = $('#search-input input');
@@ -47,6 +48,9 @@ cHammer.on('tap', function() { @@ -47,6 +48,9 @@ cHammer.on('tap', function() {
47 }); 48 });
48 49
49 $('#search').on('touchend', function() { 50 $('#search').on('touchend', function() {
  51 + if (security.hasDangerInput()) {
  52 + return false;
  53 + }
50 $(this).closest('form').submit(); 54 $(this).closest('form').submit();
51 return false; 55 return false;
52 }); 56 });
@@ -7,6 +7,7 @@ @@ -7,6 +7,7 @@
7 var $ = require('jquery'), 7 var $ = require('jquery'),
8 Hammer = require('yoho.hammer'), 8 Hammer = require('yoho.hammer'),
9 tip = require('../plugin/tip'), 9 tip = require('../plugin/tip'),
  10 + security = require('../plugin/security'),
10 loading = require('../plugin/loading'); 11 loading = require('../plugin/loading');
11 12
12 var $action = $('.action'), 13 var $action = $('.action'),
@@ -102,6 +103,10 @@ $addressForm.on('submit', function() { @@ -102,6 +103,10 @@ $addressForm.on('submit', function() {
102 return false; 103 return false;
103 } 104 }
104 105
  106 + if (security.hasDangerInput(false)){
  107 + return false;
  108 + }
  109 +
105 // 简单的表单校验 110 // 简单的表单校验
106 if (!$(this).find('[name="consignee"]').val()) { 111 if (!$(this).find('[name="consignee"]').val()) {
107 tip.show('收件人不能为空'); 112 tip.show('收件人不能为空');
  1 +/**
  2 + * 校验input, 防止SQL注入
  3 + * @author: 赵彪<bill.zhao@yoho.cn>
  4 + * @date: 2015/11/30
  5 + */
  6 +
  7 +var $ = require('jquery'),
  8 + tip = require('./tip');
  9 +
  10 +/**
  11 + * hasStrangeInput() return true when input have danger value
  12 + *
  13 + * @param {Bool} needConvert Set if the danger input value should be converted to space
  14 + * @return {Bool} true/false If the input have danger value
  15 + */
  16 +function hasDangerInput(needConvert) {
  17 + var validationPartten = /['"<>&\|]|--/g;
  18 + var inputs = $('input[type!=hidden], textarea');
  19 + var inputsLength = inputs.length;
  20 +
  21 + // to set if the input value should be coverted, and its default value is true;
  22 + var willConvert = needConvert === undefined || typeof needConvert !== 'boolean' ? true : needConvert ;
  23 +
  24 + for (var i = 0; i < inputsLength; i++) {
  25 + var val = inputs.eq(i).val();
  26 + if (validationPartten.test(val)) {
  27 + if (willConvert) {
  28 + inputs.eq(i).val(val.replace(validationPartten, ' '));
  29 + } else{
  30 + var matchChars = val.match(validationPartten).join(' ');
  31 + tip.show('不可以输入 ' + matchChars + ' 哦!');
  32 + }
  33 + return !willConvert && true;
  34 + }
  35 + }
  36 +
  37 + return false;
  38 +}
  39 +
  40 +
  41 +exports.hasDangerInput = hasDangerInput;