fe / yoho-blk · Commits

Go to a project

Authored by 徐炜
Commit 63c5b7264159eab7f68e86255a235cf5be69da63 2 parents f193e294 def89a9c

Merge remote-tracking branch 'origin/feature/security-fix' into feature/security-fix

Inline Side-by-side
Showing 20 changed files with 395 additions and 279 deletions
@@ -7,6 +7,7 @@ @@ -7,6 +7,7 @@
7 'use strict'; 7 'use strict';
8 8
9 const model = require('../models'); 9 const model = require('../models');
  10 +const config = global.yoho.config;
10 11
11 exports.index = (req, res) => { 12 exports.index = (req, res) => {
12 const channelType = req.path.substring(1) || 'men'; 13 const channelType = req.path.substring(1) || 'men';
@@ -15,7 +16,7 @@ exports.index = (req, res) => { @@ -15,7 +16,7 @@ exports.index = (req, res) => {
15 16
16 // 设置当前频道 17 // 设置当前频道
17 res.cookie('_Channel', channelType, { 18 res.cookie('_Channel', channelType, {
18 - domain: '.yohoblk.com' 19 + domain: config.cookieDomain
19 }); 20 });
20 21
21 req.yoho.channel = channelType; 22 req.yoho.channel = channelType;
@@ -26,4 +27,4 @@ exports.index = (req, res) => { @@ -26,4 +27,4 @@ exports.index = (req, res) => {
26 dataPage: channelType 27 dataPage: channelType
27 }, result)); 28 }, result));
28 }); 29 });
29 -}; 30 +};
@@ -6,6 +6,7 @@ @@ -6,6 +6,7 @@
6 'use strict'; 6 'use strict';
7 const mcHandler = require('../models/menu-crumb-handler'); 7 const mcHandler = require('../models/menu-crumb-handler');
8 const addressModel = require('../models/address'); 8 const addressModel = require('../models/address');
  9 +const cleanHtml = require(`${global.utils}/cleanHtml`);
9 const crypto = global.yoho.crypto; 10 const crypto = global.yoho.crypto;
10 const config = global.yoho.config; 11 const config = global.yoho.config;
11 12
@@ -34,6 +35,7 @@ const index = (req, res, next) => { @@ -34,6 +35,7 @@ const index = (req, res, next) => {
34 resultData[i].default = resultData[i].is_default === 'Y'; 35 resultData[i].default = resultData[i].is_default === 'Y';
35 resultData[i].mobile = resultData[i].mobile.replace(reg, '$1****$2'); 36 resultData[i].mobile = resultData[i].mobile.replace(reg, '$1****$2');
36 resultData[i].id = crypto.encryption(config.crypto.common, resultData[i].address_id + ''); 37 resultData[i].id = crypto.encryption(config.crypto.common, resultData[i].address_id + '');
  38 + resultData[i].address = cleanHtml.htmlDecode(resultData[i].address);
37 } 39 }
38 resultData.leftLength = 7 - length; 40 resultData.leftLength = 7 - length;
39 resultData.length = length; 41 resultData.length = length;
@@ -61,6 +63,7 @@ const getAddressList = (req, res, next) => { @@ -61,6 +63,7 @@ const getAddressList = (req, res, next) => {
61 63
62 _.each(result.data, (d) => { 64 _.each(result.data, (d) => {
63 d.address_id = crypto.encryption(config.crypto.common, d.address_id + ''); 65 d.address_id = crypto.encryption(config.crypto.common, d.address_id + '');
  66 + d.address = cleanHtml.htmlDecode(d.address);
64 }); 67 });
65 68
66 defaultAd && (defaultAd.focus = true); 69 defaultAd && (defaultAd.focus = true);
@@ -74,7 +77,7 @@ const getAddressList = (req, res, next) => { @@ -74,7 +77,7 @@ const getAddressList = (req, res, next) => {
74 */ 77 */
75 const addAddressData = (req, res, next) => { 78 const addAddressData = (req, res, next) => {
76 let uid = req.user.uid; 79 let uid = req.user.uid;
77 - let address = req.body.address; 80 + let address = cleanHtml.htmlEncode(req.body.address);
78 let areaCode = req.body.area_code; 81 let areaCode = req.body.area_code;
79 let consignee = req.body.consignee; 82 let consignee = req.body.consignee;
80 let mobile = req.body.mobile; 83 let mobile = req.body.mobile;
@@ -97,7 +100,7 @@ const addAddressData = (req, res, next) => { @@ -97,7 +100,7 @@ const addAddressData = (req, res, next) => {
97 const updateAddressData = (req, res, next) => { 100 const updateAddressData = (req, res, next) => {
98 let id = crypto.decrypt(config.crypto.common, req.body.id); 101 let id = crypto.decrypt(config.crypto.common, req.body.id);
99 let uid = req.user.uid; 102 let uid = req.user.uid;
100 - let address = req.body.address; 103 + let address = cleanHtml.htmlEncode(req.body.address);
101 let areaCode = req.body.area_code; 104 let areaCode = req.body.area_code;
102 let consignee = req.body.consignee; 105 let consignee = req.body.consignee;
103 let mobile = req.body.mobile; 106 let mobile = req.body.mobile;
@@ -162,4 +165,4 @@ module.exports = { @@ -162,4 +165,4 @@ module.exports = {
162 delAddressData, 165 delAddressData,
163 setDefaultAddress, 166 setDefaultAddress,
164 getAddressData 167 getAddressData
165 -}; 168 +};
@@ -8,6 +8,7 @@ @@ -8,6 +8,7 @@
8 8
9 const mcHandler = require('../models/menu-crumb-handler'); 9 const mcHandler = require('../models/menu-crumb-handler');
10 const orderModel = require('../models/order'); 10 const orderModel = require('../models/order');
  11 +const cleanHtml = require(`${global.utils}/cleanHtml`);
11 const _ = require('lodash'); 12 const _ = require('lodash');
12 const crypto = global.yoho.crypto; 13 const crypto = global.yoho.crypto;
13 const config = global.yoho.config; 14 const config = global.yoho.config;
@@ -48,6 +49,16 @@ const detail = (req, res, next) => { @@ -48,6 +49,16 @@ const detail = (req, res, next) => {
48 pageData.orderDetail.orderCodeM = crypto.encryption(config.crypto.common, pageData.orderDetail.orderCode); 49 pageData.orderDetail.orderCodeM = crypto.encryption(config.crypto.common, pageData.orderDetail.orderCode);
49 } 50 }
50 51
  52 + // 转译
  53 + if (pageData.orderDetail) {
  54 + pageData.orderDetail.address = cleanHtml.htmlDecode(pageData.orderDetail.address);
  55 + pageData.orderDetail.allAddress = cleanHtml.htmlDecode(pageData.orderDetail.allAddress);
  56 + pageData.orderDetail.remark = cleanHtml.htmlDecode(pageData.orderDetail.remark);
  57 + if (pageData.orderDetail.invoice) {
  58 + pageData.orderDetail.invoice.title = cleanHtml.htmlDecode(pageData.orderDetail.invoice.title);
  59 + }
  60 + }
  61 +
51 res.display('index', { 62 res.display('index', {
52 isMe: true, 63 isMe: true,
53 page: 'order-detail', 64 page: 'order-detail',
@@ -166,4 +177,4 @@ module.exports = { @@ -166,4 +177,4 @@ module.exports = {
166 getCancelOrderReason, 177 getCancelOrderReason,
167 reAdd, 178 reAdd,
168 confirmReceive 179 confirmReceive
169 -}; 180 +};
@@ -8,6 +8,7 @@ @@ -8,6 +8,7 @@
8 8
9 const mcHandler = require('../models/menu-crumb-handler'); 9 const mcHandler = require('../models/menu-crumb-handler');
10 const helpers = global.yoho.helpers; 10 const helpers = global.yoho.helpers;
  11 +const config = global.yoho.config;
11 const settingModel = require('../models/setting'); 12 const settingModel = require('../models/setting');
12 const accountModel = require('../models/account'); 13 const accountModel = require('../models/account');
13 const passportHelper = require('../../passport/models/passport-helper'); 14 const passportHelper = require('../../passport/models/passport-helper');
@@ -18,13 +19,15 @@ var path = require('path'); @@ -18,13 +19,15 @@ var path = require('path');
18 const uuid = require('uuid'); 19 const uuid = require('uuid');
19 const os = require('os'); 20 const os = require('os');
20 const _ = require('lodash'); 21 const _ = require('lodash');
21 -const regMobile = /(\d{3})\d{4}(\d{4})/;// 正则匹配替换手机号码中间4位  
22 -const regEmail = /(\d{3})\d{4}/;// 正则匹配替换邮箱中间4位 22 +const regMobile = /(\d{3})\d{4}(\d{4})/; // 正则匹配替换手机号码中间4位
  23 +const regEmail = /(\d{3})\d{4}/; // 正则匹配替换邮箱中间4位
23 24
24 -const captchaUrl = helpers.urlFormat('/passport/images', {t: Date.now()}); 25 +const captchaUrl = helpers.urlFormat('/passport/images', {
  26 + t: Date.now()
  27 +});
25 28
26 // 根据type获取标题 29 // 根据type获取标题
27 -const _getTitle = (type)=> { 30 +const _getTitle = (type) => {
28 let typeName; 31 let typeName;
29 let proName; 32 let proName;
30 let isModifyMobile = false; 33 let isModifyMobile = false;
@@ -74,6 +77,18 @@ const _getTitle = (type)=> { @@ -74,6 +77,18 @@ const _getTitle = (type)=> {
74 }; 77 };
75 }; 78 };
76 79
  80 +const cookieHelper = {
  81 + setVal(res, k, v, ops) {
  82 + res.cookie(k, v, Object.assign({
  83 + domain: config.cookieDomain,
  84 + httpOnly: true
  85 + }, ops));
  86 + },
  87 + getVal(req, k) {
  88 + return req.cookies[k];
  89 + }
  90 +}
  91 +
77 /** 92 /**
78 * 个人设置页面加载 93 * 个人设置页面加载
79 */ 94 */
@@ -132,11 +147,11 @@ const index = (req, res, next) => { @@ -132,11 +147,11 @@ const index = (req, res, next) => {
132 * @param res 147 * @param res
133 * @param next 148 * @param next
134 */ 149 */
135 -const editUserInfo = (req, res, next)=> { 150 +const editUserInfo = (req, res, next) => {
136 let uid = req.user.uid; 151 let uid = req.user.uid;
137 let query = req.body; 152 let query = req.body;
138 153
139 - settingModel.editUserInfo(uid, query).then(result=> { 154 + settingModel.editUserInfo(uid, query).then(result => {
140 res.send(result); 155 res.send(result);
141 }).catch(next); 156 }).catch(next);
142 }; 157 };
@@ -149,13 +164,13 @@ const bindMobile = (req, res, next) => { @@ -149,13 +164,13 @@ const bindMobile = (req, res, next) => {
149 let uid = req.user.uid; 164 let uid = req.user.uid;
150 let type = req.params.type; 165 let type = req.params.type;
151 166
152 - settingModel.getUserInfo(uid).then(result=> { 167 + settingModel.getUserInfo(uid).then(result => {
153 if (result.info.verify_mobile !== '') { 168 if (result.info.verify_mobile !== '') {
154 mcHandler.getMeThumb().then((thumb) => { 169 mcHandler.getMeThumb().then((thumb) => {
155 let info = result.info; 170 let info = result.info;
156 171
157 info.ellipsisMobile = info.verify_mobile.replace(regMobile, '$1****$2'); 172 info.ellipsisMobile = info.verify_mobile.replace(regMobile, '$1****$2');
158 - info.checkCode = settingModel.cipheriv(info.uid + '.completeverify'); 173 + info.checkCode = req.csrfToken();
159 174
160 res.display('index', { 175 res.display('index', {
161 module: 'me', 176 module: 'me',
@@ -188,12 +203,12 @@ const bindEmail = (req, res, next) => { @@ -188,12 +203,12 @@ const bindEmail = (req, res, next) => {
188 let uid = req.user.uid; 203 let uid = req.user.uid;
189 let type = req.params.type; 204 let type = req.params.type;
190 205
191 - settingModel.getUserInfo(uid).then(result=> { 206 + settingModel.getUserInfo(uid).then(result => {
192 if (result.info.verify_email !== '') { 207 if (result.info.verify_email !== '') {
193 let info = result.info; 208 let info = result.info;
194 209
195 info.ellipsisEmail = info.verify_email.replace(regEmail, '$1****'); 210 info.ellipsisEmail = info.verify_email.replace(regEmail, '$1****');
196 - info.checkCode = settingModel.cipheriv(info.uid + '.completeverify'); 211 + info.checkCode = req.csrfToken();
197 212
198 mcHandler.getMeThumb().then((thumb) => { 213 mcHandler.getMeThumb().then((thumb) => {
199 res.display('index', { 214 res.display('index', {
@@ -221,9 +236,8 @@ const bindEmail = (req, res, next) => { @@ -221,9 +236,8 @@ const bindEmail = (req, res, next) => {
221 /** 236 /**
222 *step1 登录密码进行身份验证 237 *step1 登录密码进行身份验证
223 */ 238 */
224 -const modifyPassword = (req, res) => { 239 +const modifyType = (req, res) => {
225 let type = req.params.type; 240 let type = req.params.type;
226 - let checkCode = settingModel.cipheriv(req.user.uid + '.completeverify');  
227 241
228 mcHandler.getMeThumb().then((thumb) => { 242 mcHandler.getMeThumb().then((thumb) => {
229 res.display('index', { 243 res.display('index', {
@@ -239,7 +253,7 @@ const modifyPassword = (req, res) => { @@ -239,7 +253,7 @@ const modifyPassword = (req, res) => {
239 proTitle: _getTitle(type).proName, 253 proTitle: _getTitle(type).proName,
240 captchaUrl: captchaUrl, 254 captchaUrl: captchaUrl,
241 isShowPassword: true, 255 isShowPassword: true,
242 - checkCode: checkCode 256 + checkCode: req.csrfToken()
243 } 257 }
244 }); 258 });
245 }); 259 });
@@ -248,103 +262,107 @@ const modifyPassword = (req, res) => { @@ -248,103 +262,107 @@ const modifyPassword = (req, res) => {
248 /* 262 /*
249 * step2 操作界面-渲染页面 263 * step2 操作界面-渲染页面
250 * */ 264 * */
251 -const edit = (req, res)=> { 265 +const edit = (req, res) => {
252 let type = req.params.type; 266 let type = req.params.type;
253 - let code = settingModel.decipheriv(req.query.checkCode.split(' ').join('+'));  
254 - let codes = code.split('.');  
255 -  
256 - if (parseInt(codes[0], 10) === req.user.uid && codes[1] === 'completeverify') {  
257 - let result = {  
258 - title: _getTitle(type).typeName,  
259 - proTitle: _getTitle(type).proName,  
260 - isShowMobile: _getTitle(type).isModifyMobile || _getTitle(type).isBindMobile,  
261 - isShowEmail: _getTitle(type).isModifyEmail || _getTitle(type).isBindEmail,  
262 - isShowPassword: _getTitle(type).isShowPassword  
263 - };  
264 - let checkCode = settingModel.cipheriv(req.user.uid + '.completeoperate');  
265 -  
266 - mcHandler.getMeThumb().then((thumb) => {  
267 - res.display('index', {  
268 - module: 'me',  
269 - page: 'setting',  
270 - isMe: true,  
271 - content: Object.assign({  
272 - region: passportHelper.getCountry(),  
273 - location: '+86',  
274 - nav: mcHandler.getMeCrumb('个人设置'),  
275 - navigation: mcHandler.getSideMenu('个人设置'),  
276 - banner: thumb,  
277 - operateStep: true,  
278 - stepUrl: '/me/setting/step3/' + type,  
279 - captchaUrl: captchaUrl,  
280 - checkCode: checkCode  
281 - }, result)  
282 - });  
283 - });  
284 267
  268 + if (Number(cookieHelper.getVal(req, type + "_STEP")) !== 1) {
  269 + res.redirect(helpers.urlFormat('/me/setting/step1/' + type));
  270 + return;
285 } 271 }
  272 +
  273 + let result = {
  274 + title: _getTitle(type).typeName,
  275 + proTitle: _getTitle(type).proName,
  276 + isShowMobile: _getTitle(type).isModifyMobile || _getTitle(type).isBindMobile,
  277 + isShowEmail: _getTitle(type).isModifyEmail || _getTitle(type).isBindEmail,
  278 + isShowPassword: _getTitle(type).isShowPassword
  279 + };
  280 +
  281 + mcHandler.getMeThumb().then((thumb) => {
  282 + res.display('index', {
  283 + module: 'me',
  284 + page: 'setting',
  285 + isMe: true,
  286 + content: Object.assign({
  287 + region: passportHelper.getCountry(),
  288 + location: '+86',
  289 + nav: mcHandler.getMeCrumb('个人设置'),
  290 + navigation: mcHandler.getSideMenu('个人设置'),
  291 + banner: thumb,
  292 + operateStep: true,
  293 + stepUrl: '/me/setting/step3/' + type,
  294 + captchaUrl: captchaUrl,
  295 + checkCode: req.csrfToken()
  296 + }, result)
  297 + });
  298 + });
286 }; 299 };
287 300
288 /* 301 /*
289 * step3 操作成功-渲染界面 302 * step3 操作成功-渲染界面
290 * */ 303 * */
291 -const success = (req, res)=> { 304 +const success = (req, res) => {
292 let type = req.params.type; 305 let type = req.params.type;
293 - let code = settingModel.decipheriv(req.query.checkCode.split(' ').join('+'));  
294 - let codes = code.split('.');  
295 -  
296 - if (parseInt(codes[0], 10) === req.user.uid && codes[1] === 'completeoperate') {  
297 - let result = {  
298 - title: _getTitle(type).typeName,  
299 - proTitle: _getTitle(type).proName,  
300 - isModifyMobile: _getTitle(type).isModifyMobile,  
301 - isBindMobile: _getTitle(type).isBindMobile,  
302 - isModifyEmail: _getTitle(type).isModifyEmail,  
303 - isBindEmail: _getTitle(type).isBindEmail,  
304 - isShowPassword: _getTitle(type).isShowPassword  
305 - };  
306 -  
307 - mcHandler.getMeThumb().then((thumb) => {  
308 - res.display('index', {  
309 - module: 'me',  
310 - page: 'setting',  
311 - isMe: true,  
312 - content: Object.assign({  
313 - region: passportHelper.getCountry(),  
314 - location: '+86',  
315 - nav: mcHandler.getMeCrumb('个人设置'),  
316 - navigation: mcHandler.getSideMenu('个人设置'),  
317 - banner: thumb,  
318 - successStep: true,  
319 - captchaUrl: captchaUrl  
320 - }, result)  
321 - });  
322 - }); 306 +
  307 + let step = Number(cookieHelper.getVal(req, type + "_STEP")) || 0;
  308 + if (step !== 2) {
  309 + res.redirect(helpers.urlFormat('/me/setting/step' + (step + 1) + '/' + type));
  310 + return;
323 } 311 }
324 312
  313 + cookieHelper.setVal(res, type + "_STEP", 0, {
  314 + maxAge: -1
  315 + });
  316 +
  317 + let result = {
  318 + title: _getTitle(type).typeName,
  319 + proTitle: _getTitle(type).proName,
  320 + isModifyMobile: _getTitle(type).isModifyMobile,
  321 + isBindMobile: _getTitle(type).isBindMobile,
  322 + isModifyEmail: _getTitle(type).isModifyEmail,
  323 + isBindEmail: _getTitle(type).isBindEmail,
  324 + isShowPassword: _getTitle(type).isShowPassword
  325 + };
  326 +
  327 + mcHandler.getMeThumb().then((thumb) => {
  328 + res.display('index', {
  329 + module: 'me',
  330 + page: 'setting',
  331 + isMe: true,
  332 + content: Object.assign({
  333 + region: passportHelper.getCountry(),
  334 + location: '+86',
  335 + nav: mcHandler.getMeCrumb('个人设置'),
  336 + navigation: mcHandler.getSideMenu('个人设置'),
  337 + banner: thumb,
  338 + successStep: true,
  339 + captchaUrl: captchaUrl
  340 + }, result)
  341 + });
  342 + });
  343 +
325 }; 344 };
326 345
327 /* 346 /*
328 * post1 第一步身份验证的post请求 347 * post1 第一步身份验证的post请求
329 * */ 348 * */
330 -const validate1 = (req, res)=> {  
331 - co(function *() { 349 +const validate1 = (req, res) => {
  350 + co(function*() {
332 let type = req.params.type; 351 let type = req.params.type;
333 let uid = req.user.uid; 352 let uid = req.user.uid;
334 let body = req.body; 353 let body = req.body;
  354 + let a;
335 355
336 if (type === 'password') { 356 if (type === 'password') {
337 - let a = yield accountModel.verifyPwd(uid, body.password);  
338 -  
339 - res.send(a); 357 + a = yield accountModel.verifyPwd(uid, body.password);
340 } else if (type === 'mobile') { 358 } else if (type === 'mobile') {
341 - let a = yield accountModel.checkVerifyMsg(body.code, body.mobile, body.area);  
342 -  
343 -  
344 - res.send(a); 359 + a = yield accountModel.checkVerifyMsg(body.code, body.mobile, body.area);
345 } else if (type === 'email') { 360 } else if (type === 'email') {
346 - let a = yield accountModel.sendVerifyEmail(uid, body.email); 361 + a = yield accountModel.sendVerifyEmail(uid, body.email);
  362 + }
347 363
  364 + if (a) {
  365 + cookieHelper.setVal(res, req.body.type + "_STEP", 1);
348 res.send(a); 366 res.send(a);
349 } 367 }
350 })(); 368 })();
@@ -353,8 +371,8 @@ const validate1 = (req, res)=> { @@ -353,8 +371,8 @@ const validate1 = (req, res)=> {
353 /* 371 /*
354 * post2 第二步具体操作的post请求 372 * post2 第二步具体操作的post请求
355 * */ 373 * */
356 -const validate2 = (req, res)=> {  
357 - co(function *() { 374 +const validate2 = (req, res) => {
  375 + co(function*() {
358 let type = req.params.type; 376 let type = req.params.type;
359 let uid = req.user.uid; 377 let uid = req.user.uid;
360 let body = req.body; 378 let body = req.body;
@@ -362,18 +380,24 @@ const validate2 = (req, res)=> { @@ -362,18 +380,24 @@ const validate2 = (req, res)=> {
362 if (type === 'password') { 380 if (type === 'password') {
363 let a = yield accountModel.changePwd(uid, body.password); 381 let a = yield accountModel.changePwd(uid, body.password);
364 382
365 - res.send(a); 383 + if (a.code === 200) {
  384 + cookieHelper.setVal(res, body.type + "_STEP", 2);
  385 + res.send(a);
  386 + }
  387 +
366 } else if (type === 'mobile') { 388 } else if (type === 'mobile') {
367 let a = yield accountModel.checkVerifyMsg(body.code, body.mobile, body.area); 389 let a = yield accountModel.checkVerifyMsg(body.code, body.mobile, body.area);
368 let b = yield accountModel.modifyVerifyMobile(uid, body.area, body.mobile); 390 let b = yield accountModel.modifyVerifyMobile(uid, body.area, body.mobile);
369 - let msg = [];  
370 391
371 if (a.code === 200 && b.code === 200) { 392 if (a.code === 200 && b.code === 200) {
  393 + cookieHelper.setVal(res, body.type + "_STEP", 2);
372 res.send({ 394 res.send({
373 code: 200, 395 code: 200,
374 data: {} 396 data: {}
375 }); 397 });
376 } else { 398 } else {
  399 + let msg = [];
  400 +
377 if (a.code !== 200) { 401 if (a.code !== 200) {
378 msg.push('<p>图片验证:' + a.message + '</p>'); 402 msg.push('<p>图片验证:' + a.message + '</p>');
379 } 403 }
@@ -413,12 +437,12 @@ function getfilePath(req, res, next) { @@ -413,12 +437,12 @@ function getfilePath(req, res, next) {
413 * @param req 437 * @param req
414 * @param res 438 * @param res
415 */ 439 */
416 -const modifyHead = (req, res)=> { 440 +const modifyHead = (req, res) => {
417 let uid = req.user.uid; 441 let uid = req.user.uid;
418 let bucket = 'yhb-head'; 442 let bucket = 'yhb-head';
419 let filePath = req.filePath; 443 let filePath = req.filePath;
420 444
421 - settingModel.modifyHead(uid, bucket, filePath).then(result=> { 445 + settingModel.modifyHead(uid, bucket, filePath).then(result => {
422 res.send(result); 446 res.send(result);
423 }); 447 });
424 }; 448 };
@@ -428,11 +452,11 @@ module.exports = { @@ -428,11 +452,11 @@ module.exports = {
428 editUserInfo, 452 editUserInfo,
429 bindMobile, 453 bindMobile,
430 bindEmail, 454 bindEmail,
431 - modifyPassword, 455 + modifyType,
432 edit, 456 edit,
433 success, 457 success,
434 validate1, 458 validate1,
435 validate2, 459 validate2,
436 getfilePath, 460 getfilePath,
437 modifyHead 461 modifyHead
438 -}; 462 +};
@@ -33,52 +33,39 @@ const paymentTypeStr = { @@ -33,52 +33,39 @@ const paymentTypeStr = {
33 33
34 // 订单操作按钮 34 // 订单操作按钮
35 const btnMap = { 35 const btnMap = {
36 - all: [  
37 - {  
38 - isPayBtn: true,  
39 - name: '立即付款',  
40 - classStr: 'btn red pay-btn mr'  
41 - },  
42 - {  
43 - name: '取消订单',  
44 - classStr: 'btn white cancel-btn mr'  
45 - },  
46 - {  
47 - isEditBtn: true,  
48 - name: '修改订单',  
49 - classStr: 'btn white edit-btn'  
50 - }  
51 - ],  
52 - cancel: [  
53 - {  
54 - name: '取消订单',  
55 - classStr: 'btn white cancel-btn'  
56 - }  
57 - ],  
58 - edit: [  
59 - {  
60 - isEditBtn: true,  
61 - name: '修改订单',  
62 - classStr: 'btn white edit-btn'  
63 - }  
64 - ],  
65 - complete: [  
66 - {  
67 - name: '确认收货',  
68 - classStr: 'btn complete-btn'  
69 - }  
70 - ],  
71 - special: [  
72 - {  
73 - isEditBtn: true,  
74 - name: '修改订单',  
75 - classStr: 'btn white edit-btn mr'  
76 - },  
77 - {  
78 - name: '取消订单',  
79 - classStr: 'btn white cancel-btn'  
80 - }  
81 - ] 36 + all: [{
  37 + isPayBtn: true,
  38 + name: '立即付款',
  39 + classStr: 'btn red pay-btn mr'
  40 + }, {
  41 + name: '取消订单',
  42 + classStr: 'btn white cancel-btn mr'
  43 + }, {
  44 + isEditBtn: true,
  45 + name: '修改订单',
  46 + classStr: 'btn white edit-btn'
  47 + }],
  48 + cancel: [{
  49 + name: '取消订单',
  50 + classStr: 'btn white cancel-btn'
  51 + }],
  52 + edit: [{
  53 + isEditBtn: true,
  54 + name: '修改订单',
  55 + classStr: 'btn white edit-btn'
  56 + }],
  57 + complete: [{
  58 + name: '确认收货',
  59 + classStr: 'btn complete-btn'
  60 + }],
  61 + special: [{
  62 + isEditBtn: true,
  63 + name: '修改订单',
  64 + classStr: 'btn white edit-btn mr'
  65 + }, {
  66 + name: '取消订单',
  67 + classStr: 'btn white cancel-btn'
  68 + }]
82 }; 69 };
83 70
84 const invoiceText = { 71 const invoiceText = {
@@ -196,20 +183,15 @@ const _convertAddress = (addressList, createTime) => { @@ -196,20 +183,15 @@ const _convertAddress = (addressList, createTime) => {
196 * @return { [Object] } 183 * @return { [Object] }
197 */ 184 */
198 const _getStepByOrderStatus = st => { 185 const _getStepByOrderStatus = st => {
199 - let steps = [  
200 - {  
201 - stepStr: '1.提交订单'  
202 - },  
203 - {  
204 - stepStr: '2.商品出库'  
205 - },  
206 - {  
207 - stepStr: '3.等待收货'  
208 - },  
209 - {  
210 - stepStr: '4.交易完成'  
211 - }  
212 - ]; 186 + let steps = [{
  187 + stepStr: '1.提交订单'
  188 + }, {
  189 + stepStr: '2.商品出库'
  190 + }, {
  191 + stepStr: '3.等待收货'
  192 + }, {
  193 + stepStr: '4.交易完成'
  194 + }];
213 let curStep = statusMap[st].step; 195 let curStep = statusMap[st].step;
214 196
215 for (let i = 0; i < curStep; i++) { 197 for (let i = 0; i < curStep; i++) {
@@ -415,24 +397,19 @@ const getExpressInfo = (uid, code) => { @@ -415,24 +397,19 @@ const getExpressInfo = (uid, code) => {
415 */ 397 */
416 const getOrderData = (uid, type, page) => { 398 const getOrderData = (uid, type, page) => {
417 const navBar = { 399 const navBar = {
418 - tabs: [  
419 - {  
420 - text: '全部订单',  
421 - typeStr: 'all'  
422 - },  
423 - {  
424 - text: '待付款',  
425 - typeStr: 'paying'  
426 - },  
427 - {  
428 - text: '待发货',  
429 - typeStr: 'willdeliver'  
430 - },  
431 - {  
432 - text: '待收货',  
433 - typeStr: 'delivering'  
434 - }  
435 - ] 400 + tabs: [{
  401 + text: '全部订单',
  402 + typeStr: 'all'
  403 + }, {
  404 + text: '待付款',
  405 + typeStr: 'paying'
  406 + }, {
  407 + text: '待发货',
  408 + typeStr: 'willdeliver'
  409 + }, {
  410 + text: '待收货',
  411 + typeStr: 'delivering'
  412 + }]
436 }; 413 };
437 414
438 const emptyObject = { 415 const emptyObject = {
@@ -493,7 +470,9 @@ const getOrderData = (uid, type, page) => { @@ -493,7 +470,9 @@ const getOrderData = (uid, type, page) => {
493 } : false; 470 } : false;
494 471
495 return { 472 return {
496 - order: Object.assign(order, paginationOpts, {orderData: empty}) 473 + order: Object.assign(order, paginationOpts, {
  474 + orderData: empty
  475 + })
497 }; 476 };
498 }); 477 });
499 }; 478 };
@@ -538,7 +517,6 @@ const getOrderDetail = (uid, code) => { @@ -538,7 +517,6 @@ const getOrderDetail = (uid, code) => {
538 if (detail.isCancel !== 'Y') { 517 if (detail.isCancel !== 'Y') {
539 detail.steps = _getStepByOrderStatus(st); 518 detail.steps = _getStepByOrderStatus(st);
540 519
541 - console.log(st);  
542 statusMap[st].btns.forEach(function(btn) { 520 statusMap[st].btns.forEach(function(btn) {
543 btns.push(btn); 521 btns.push(btn);
544 }); 522 });
@@ -561,7 +539,7 @@ const getOrderDetail = (uid, code) => { @@ -561,7 +539,7 @@ const getOrderDetail = (uid, code) => {
561 539
562 if (parseInt(detail.paymentType, 10) === 2 && 540 if (parseInt(detail.paymentType, 10) === 2 &&
563 (statusMap[st].valueStr === '备货中' || 541 (statusMap[st].valueStr === '备货中' ||
564 - detail.statusStr === '备货中')) { 542 + detail.statusStr === '备货中')) {
565 detail.btns = btnMap.special; 543 detail.btns = btnMap.special;
566 } else { 544 } else {
567 detail.statusStr = statusMap[st].valueStr; 545 detail.statusStr = statusMap[st].valueStr;
@@ -648,4 +626,4 @@ module.exports = { @@ -648,4 +626,4 @@ module.exports = {
648 getExpressInfo, 626 getExpressInfo,
649 reAddCart, 627 reAddCart,
650 confirmReceive 628 confirmReceive
651 -}; 629 +};
@@ -62,20 +62,20 @@ router.get('/address/areas/:areaId', address.getAddressData); @@ -62,20 +62,20 @@ router.get('/address/areas/:areaId', address.getAddressData);
62 router.get('/currency', auth, currency.index); 62 router.get('/currency', auth, currency.index);
63 63
64 // 个人中心首页/个人设置 64 // 个人中心首页/个人设置
65 -router.get('/setting', csrf, auth, setting.index);// 个人首页  
66 -router.post('/setting/editUserInfo', csrf, auth, setting.editUserInfo);// 修改接口 65 +router.get('/setting', csrf, auth, setting.index); // 个人首页
  66 +router.post('/setting/editUserInfo', csrf, auth, setting.editUserInfo); // 修改接口
67 67
68 // 第一步 68 // 第一步
69 -router.get('/setting/step1/:type', auth, setting.bindMobile, setting.bindEmail, setting.modifyPassword); 69 +router.get('/setting/step1/:type', csrf, auth, setting.bindMobile, setting.bindEmail, setting.modifyType);
70 70
71 // 第一步post 71 // 第一步post
72 -router.post('/setting/step1/:type', auth, setting.validate1); 72 +router.post('/setting/step1/:type', csrf, auth, setting.validate1);
73 73
74 // 第二步 74 // 第二步
75 -router.get('/setting/step2/:type', auth, setting.edit); 75 +router.get('/setting/step2/:type', csrf, auth, setting.edit);
76 76
77 // 第二步post 77 // 第二步post
78 -router.post('/setting/step2/:type', auth, setting.validate2); 78 +router.post('/setting/step2/:type', csrf, auth, setting.validate2);
79 79
80 // 第三步 80 // 第三步
81 router.get('/setting/step3/:type', auth, setting.success); 81 router.get('/setting/step3/:type', auth, setting.success);
@@ -97,4 +97,4 @@ router.post('/collection/cancel', auth, favorite.cancel); @@ -97,4 +97,4 @@ router.post('/collection/cancel', auth, favorite.cancel);
97 router.post('/collection/cancel/multi', auth, favorite.cancelMulti); 97 router.post('/collection/cancel/multi', auth, favorite.cancelMulti);
98 router.post('/collection/editorial/cancel', auth, favorite.editorialCancel); 98 router.post('/collection/editorial/cancel', auth, favorite.editorialCancel);
99 99
100 -module.exports = router; 100 +module.exports = router;
@@ -75,7 +75,8 @@ const common = { @@ -75,7 +75,8 @@ const common = {
75 refer = req.get('Referer'); 75 refer = req.get('Referer');
76 } 76 }
77 refer && res.cookie('refer', encodeURI(refer), { 77 refer && res.cookie('refer', encodeURI(refer), {
78 - domain: config.cookieDomain 78 + domain: config.cookieDomain,
  79 + httpOnly: true
79 }); 80 });
80 next(); 81 next();
81 }, 82 },
@@ -85,7 +86,11 @@ const common = { @@ -85,7 +86,11 @@ const common = {
85 */ 86 */
86 needCaptcha: (req, res, next) => { 87 needCaptcha: (req, res, next) => {
87 let account = req.query.account; 88 let account = req.query.account;
88 - let result = {code: 400, message: '', data: ''}; 89 + let result = {
  90 + code: 400,
  91 + message: '',
  92 + data: ''
  93 + };
89 const MAX_ALLOW_ERROR_LOGIN = 3; 94 const MAX_ALLOW_ERROR_LOGIN = 3;
90 95
91 if (account) { 96 if (account) {
@@ -94,7 +99,9 @@ const common = { @@ -94,7 +99,9 @@ const common = {
94 cache.get(errorLoginKey).then(errloginTimes => { 99 cache.get(errorLoginKey).then(errloginTimes => {
95 errloginTimes = parseInt(errloginTimes, 0) || 0; 100 errloginTimes = parseInt(errloginTimes, 0) || 0;
96 if (!isNaN(errloginTimes) && errloginTimes >= MAX_ALLOW_ERROR_LOGIN) { 101 if (!isNaN(errloginTimes) && errloginTimes >= MAX_ALLOW_ERROR_LOGIN) {
97 - result.data = {needCaptcha: true}; 102 + result.data = {
  103 + needCaptcha: true
  104 + };
98 } 105 }
99 res.json(result); 106 res.json(result);
100 }).catch(next); 107 }).catch(next);
@@ -111,7 +118,8 @@ const local = { @@ -111,7 +118,8 @@ const local = {
111 loginPage: (req, res) => { 118 loginPage: (req, res) => {
112 // 设置登录有效时间30分钟, 防机器刷,cache不稳定,改为cookie 119 // 设置登录有效时间30分钟, 防机器刷,cache不稳定,改为cookie
113 res.cookie('LE' + md5('_LOGIN_EXPIRE'), (new Date()).getTime() / 1000 + 1800, { 120 res.cookie('LE' + md5('_LOGIN_EXPIRE'), (new Date()).getTime() / 1000 + 1800, {
114 - domain: config.cookieDomain 121 + domain: config.cookieDomain,
  122 + httpOnly: true
115 }); 123 });
116 124
117 let loginMobile = _.trim(req.query.bindMobile || ''); 125 let loginMobile = _.trim(req.query.bindMobile || '');
@@ -132,8 +140,12 @@ const local = { @@ -132,8 +140,12 @@ const local = {
132 defaultHeader: false, 140 defaultHeader: false,
133 passport: { 141 passport: {
134 countryCode: loginCountryCode, 142 countryCode: loginCountryCode,
135 - countryName: {text: defaultCountryName},  
136 - country: {list: countries}, 143 + countryName: {
  144 + text: defaultCountryName
  145 + },
  146 + country: {
  147 + list: countries
  148 + },
137 forgetPwd: helpers.urlFormat('/passport/back/index'), 149 forgetPwd: helpers.urlFormat('/passport/back/index'),
138 fastReg: helpers.urlFormat('/passport/reg'), 150 fastReg: helpers.urlFormat('/passport/reg'),
139 weixinLogin: helpers.urlFormat('/passport/autosign/wechat'), 151 weixinLogin: helpers.urlFormat('/passport/autosign/wechat'),
@@ -159,7 +171,7 @@ const local = { @@ -159,7 +171,7 @@ const local = {
159 }); 171 });
160 } else { 172 } else {
161 // 同步用户数据 173 // 同步用户数据
162 - co(function * () { 174 + co(function*() {
163 let isRemember = req.body.isRemember === 'true'; 175 let isRemember = req.body.isRemember === 'true';
164 let refer = req.cookies.refer; 176 let refer = req.cookies.refer;
165 177
@@ -172,6 +184,9 @@ const local = { @@ -172,6 +184,9 @@ const local = {
172 } 184 }
173 185
174 refer = !BlockRedirectFilter.test(decodeURI(refer)) ? decodeURI(refer) : config.siteUrl; 186 refer = !BlockRedirectFilter.test(decodeURI(refer)) ? decodeURI(refer) : config.siteUrl;
  187 + if (!/www\.yohoblk\.com/.test(refer)) {
  188 + refer = config.siteUrl;
  189 + }
175 190
176 yield LoginService.syncUserSession(user.uid, req, res).then(() => { 191 yield LoginService.syncUserSession(user.uid, req, res).then(() => {
177 res.json({ 192 res.json({
@@ -326,4 +341,4 @@ module.exports = { @@ -326,4 +341,4 @@ module.exports = {
326 qq, 341 qq,
327 sina, 342 sina,
328 alipay 343 alipay
329 -}; 344 +};
@@ -56,20 +56,31 @@ let index = (req, res) => { @@ -56,20 +56,31 @@ let index = (req, res) => {
56 let refer = req.query.refer; 56 let refer = req.query.refer;
57 57
58 refer && res.cookie('refer', encodeURI(refer), { 58 refer && res.cookie('refer', encodeURI(refer), {
59 - domain: config.cookieDomain 59 + domain: config.cookieDomain,
  60 + httpOnly: true
60 }); 61 });
61 62
62 res.display('reg/index', { 63 res.display('reg/index', {
63 title: '新用户注册', 64 title: '新用户注册',
64 defaultHeader: false, 65 defaultHeader: false,
65 passport: { 66 passport: {
66 - country: {list: passportHelper.getCountry()}, 67 + country: {
  68 + list: passportHelper.getCountry()
  69 + },
67 location: '+86', 70 location: '+86',
68 - countryName: {text: '中国'},  
69 - captchaUrl: helpers.urlFormat('/passport/images', {t: Date.now()}),  
70 - itemUrl: helpers.urlFormat('/help', {id: 5}), 71 + countryName: {
  72 + text: '中国'
  73 + },
  74 + captchaUrl: helpers.urlFormat('/passport/images', {
  75 + t: Date.now()
  76 + }),
  77 + itemUrl: helpers.urlFormat('/help', {
  78 + id: 5
  79 + }),
71 referUrl: refer, 80 referUrl: refer,
72 - loginUrl: helpers.urlFormat('/passport/login', {refer: refer}), 81 + loginUrl: helpers.urlFormat('/passport/login', {
  82 + refer: refer
  83 + }),
73 regBtnText: '立即注册' 84 regBtnText: '立即注册'
74 } 85 }
75 }); 86 });
@@ -292,4 +303,4 @@ module.exports = { @@ -292,4 +303,4 @@ module.exports = {
292 sendBindMsg, 303 sendBindMsg,
293 msgCaptcha, 304 msgCaptcha,
294 mobileRegister 305 mobileRegister
295 -}; 306 +};
@@ -46,18 +46,21 @@ const syncUserSession = (uid, req, res) => { @@ -46,18 +46,21 @@ const syncUserSession = (uid, req, res) => {
46 req.session._USERNAME = name; 46 req.session._USERNAME = name;
47 47
48 res.cookie('_UID', uidCookie, { 48 res.cookie('_UID', uidCookie, {
49 - domain: config.cookieDomain 49 + domain: config.cookieDomain,
  50 + httpOnly: true
50 }); 51 });
51 52
52 res.cookie('_USERNAME', name, { 53 res.cookie('_USERNAME', name, {
53 - domain: config.cookieDomain 54 + domain: config.cookieDomain,
  55 + httpOnly: true
54 }); 56 });
55 } 57 }
56 58
57 req.session._TOKEN = token; // esline-disable-line 59 req.session._TOKEN = token; // esline-disable-line
58 req.session._LOGIN_UID = uid; // esline-disable-line 60 req.session._LOGIN_UID = uid; // esline-disable-line
59 res.cookie('_TOKEN', token, { 61 res.cookie('_TOKEN', token, {
60 - domain: config.cookieDomain 62 + domain: config.cookieDomain,
  63 + httpOnly: true
61 }); // esline-disable-line 64 }); // esline-disable-line
62 65
63 }); 66 });
@@ -72,11 +75,13 @@ const rememberAccountAsync = (accountInfo, req, res) => { @@ -72,11 +75,13 @@ const rememberAccountAsync = (accountInfo, req, res) => {
72 75
73 res.cookie('isRemember', true, { 76 res.cookie('isRemember', true, {
74 maxAge: aWeek, 77 maxAge: aWeek,
75 - domain: config.cookieDomain 78 + domain: config.cookieDomain,
  79 + httpOnly: true
76 }); 80 });
77 res.cookie('remem', rememKey, { 81 res.cookie('remem', rememKey, {
78 maxAge: aWeek, 82 maxAge: aWeek,
79 - domain: config.cookieDomain 83 + domain: config.cookieDomain,
  84 + httpOnly: true
80 }); 85 });
81 86
82 return cache.set(rememKey, accountInfo); 87 return cache.set(rememKey, accountInfo);
@@ -88,4 +93,4 @@ module.exports = { @@ -88,4 +93,4 @@ module.exports = {
88 signinByOpenIDAsync, 93 signinByOpenIDAsync,
89 syncUserSession, 94 syncUserSession,
90 rememberAccountAsync 95 rememberAccountAsync
91 -}; 96 +};
@@ -17,7 +17,7 @@ @@ -17,7 +17,7 @@
17 17
18 <li> 18 <li>
19 <div> 19 <div>
20 - <a class="btn btn-fixed-height" href="{{goShopping}}">开始购物</a> 20 + <a class="btn btn-fixed-height" href="{{xssURI goShopping}}">开始购物</a>
21 </div> 21 </div>
22 </li> 22 </li>
23 </ul> 23 </ul>
@@ -16,7 +16,7 @@ @@ -16,7 +16,7 @@
16 16
17 <li> 17 <li>
18 <div> 18 <div>
19 - <a class="btn btn-fixed-height" href="{{goShopping}}">开始购物</a> 19 + <a class="btn btn-fixed-height" href="{{xssURI goShopping}}">开始购物</a>
20 </div> 20 </div>
21 </li> 21 </li>
22 </ul> 22 </ul>
@@ -7,6 +7,7 @@ @@ -7,6 +7,7 @@
7 'use strict'; 7 'use strict';
8 8
9 const orderModel = require('../models/order'); 9 const orderModel = require('../models/order');
  10 +const cleanHtml = require(`${global.utils}/cleanHtml`);
10 11
11 const _ = require('lodash'); 12 const _ = require('lodash');
12 13
@@ -23,20 +24,19 @@ const index = (req, res, next) => { @@ -23,20 +24,19 @@ const index = (req, res, next) => {
23 // 设置头部路径索引focus 24 // 设置头部路径索引focus
24 data.bcNavFocus = 2; 25 data.bcNavFocus = 2;
25 26
26 - data.delivery_way = _.concat(_.find(data.delivery_way, {delivery_way_id: 1})); 27 + data.delivery_way = _.concat(_.find(data.delivery_way, {
  28 + delivery_way_id: 1
  29 + }));
27 30
28 // 发票抬头 31 // 发票抬头
29 - data.invoices.invoiceTitle = [  
30 - {  
31 - name: '个人',  
32 - value: 1,  
33 - myClass: 'personal'  
34 - },  
35 - {  
36 - name: '单位',  
37 - value: 2  
38 - }  
39 - ]; 32 + data.invoices.invoiceTitle = [{
  33 + name: '个人',
  34 + value: 1,
  35 + myClass: 'personal'
  36 + }, {
  37 + name: '单位',
  38 + value: 2
  39 + }];
40 40
41 // 返回购物车链接 41 // 返回购物车链接
42 data.goCartLink = helper.urlFormat('/shopping/cart'); 42 data.goCartLink = helper.urlFormat('/shopping/cart');
@@ -49,20 +49,20 @@ const index = (req, res, next) => { @@ -49,20 +49,20 @@ const index = (req, res, next) => {
49 }); 49 });
50 50
51 // 是否打印价格radio 51 // 是否打印价格radio
52 - data.printPriceRadio = [  
53 - {  
54 - value: '1',  
55 - name: '是'  
56 - },  
57 - {  
58 - value: '0',  
59 - name: '否',  
60 - checked: true  
61 - }  
62 - ]; 52 + data.printPriceRadio = [{
  53 + value: '1',
  54 + name: '是'
  55 + }, {
  56 + value: '0',
  57 + name: '否',
  58 + checked: true
  59 + }];
  60 +
  61 + if (data.delivery_address) {
  62 + data.delivery_address.address = cleanHtml.htmlDecode(data.delivery_address.address);
  63 + }
63 64
64 res.header('Cache-Control', 'no-store'); 65 res.header('Cache-Control', 'no-store');
65 -  
66 res.display('order', { 66 res.display('order', {
67 content: data, 67 content: data,
68 defaultHeader: false 68 defaultHeader: false
@@ -96,6 +96,9 @@ const orderSub = (req, res, next) => { @@ -96,6 +96,9 @@ const orderSub = (req, res, next) => {
96 other.address_id = crypto.decrypt(config.crypto.common, other.address_id); 96 other.address_id = crypto.decrypt(config.crypto.common, other.address_id);
97 } 97 }
98 98
  99 + other.remark = cleanHtml.htmlEncode(other.remark);
  100 + other.invoices_title = cleanHtml.htmlEncode(other.invoices_title);
  101 +
99 orderModel.submit(req.user.uid, other).then(result => { 102 orderModel.submit(req.user.uid, other).then(result => {
100 103
101 // 拼接地址 104 // 拼接地址
@@ -112,4 +115,4 @@ module.exports = { @@ -112,4 +115,4 @@ module.exports = {
112 index, 115 index,
113 compute, 116 compute,
114 orderSub 117 orderSub
115 -}; 118 +};
@@ -9,6 +9,7 @@ @@ -9,6 +9,7 @@
9 const PayData = require('../models/pay'); 9 const PayData = require('../models/pay');
10 const OrderData = require('../models/order'); 10 const OrderData = require('../models/order');
11 const PayHelpers = require('../helpers/payment'); 11 const PayHelpers = require('../helpers/payment');
  12 +const cleanHtml = require(`${global.utils}/cleanHtml`);
12 const camelCase = global.yoho.camelCase; 13 const camelCase = global.yoho.camelCase;
13 const helpers = global.yoho.helpers; 14 const helpers = global.yoho.helpers;
14 const _ = require('lodash'); 15 const _ = require('lodash');
@@ -36,6 +37,9 @@ const online = (req, res, next) => { @@ -36,6 +37,9 @@ const online = (req, res, next) => {
36 } 37 }
37 }); 38 });
38 39
  40 + if (order.address) {
  41 + order.address = cleanHtml.htmlDecode(order.address);
  42 + }
39 43
40 if (amount > 0) { 44 if (amount > 0) {
41 res.display('pay', Object.assign({ 45 res.display('pay', Object.assign({
@@ -52,7 +56,9 @@ const online = (req, res, next) => { @@ -52,7 +56,9 @@ const online = (req, res, next) => {
52 cost: order.paymentAmount, 56 cost: order.paymentAmount,
53 orderNum: order.orderCode, 57 orderNum: order.orderCode,
54 coin: coin, 58 coin: coin,
55 - orderHref: helpers.urlFormat('/me/order/detail', {orderCode: order.orderCode}), 59 + orderHref: helpers.urlFormat('/me/order/detail', {
  60 + orderCode: order.orderCode
  61 + }),
56 walkHref: helpers.urlFormat('/') 62 walkHref: helpers.urlFormat('/')
57 } 63 }
58 }); 64 });
@@ -121,7 +127,9 @@ const callback = (req, res) => { @@ -121,7 +127,9 @@ const callback = (req, res) => {
121 cost: order.paymentAmount, 127 cost: order.paymentAmount,
122 orderNum: order.orderCode, 128 orderNum: order.orderCode,
123 coin: coin, 129 coin: coin,
124 - orderHref: helpers.urlFormat('/me/order/detail', {orderCode: order.orderCode}), 130 + orderHref: helpers.urlFormat('/me/order/detail', {
  131 + orderCode: order.orderCode
  132 + }),
125 walkHref: helpers.urlFormat('/') 133 walkHref: helpers.urlFormat('/')
126 } 134 }
127 }); 135 });
@@ -135,4 +143,4 @@ module.exports = { @@ -135,4 +143,4 @@ module.exports = {
135 online, 143 online,
136 callback, 144 callback,
137 toPay 145 toPay
138 -}; 146 +};
@@ -40,8 +40,6 @@ exports.serverError = () => { @@ -40,8 +40,6 @@ exports.serverError = () => {
40 logger.error(`error at path: ${req.url}`); 40 logger.error(`error at path: ${req.url}`);
41 logger.error(err); 41 logger.error(err);
42 if (!res.headersSent) { 42 if (!res.headersSent) {
43 - let renderErrPage;  
44 -  
45 if (req.xhr) { 43 if (req.xhr) {
46 return res.status(500).json({ 44 return res.status(500).json({
47 code: 500, 45 code: 500,
@@ -49,7 +47,7 @@ exports.serverError = () => { @@ -49,7 +47,7 @@ exports.serverError = () => {
49 }); 47 });
50 } 48 }
51 49
52 - renderErrPage = (result) => { 50 + const renderErrPage = (result) => {
53 res.status(500).display('error/500', { 51 res.status(500).display('error/500', {
54 module: 'common', 52 module: 'common',
55 page: 'error', 53 page: 'error',
@@ -65,4 +63,4 @@ exports.serverError = () => { @@ -65,4 +63,4 @@ exports.serverError = () => {
65 } 63 }
66 next(err); 64 next(err);
67 }; 65 };
68 -}; 66 +};
@@ -15,9 +15,9 @@ var $address = $('#addressDetail'); @@ -15,9 +15,9 @@ var $address = $('#addressDetail');
15 var $mobile = $('#mobile'); 15 var $mobile = $('#mobile');
16 var $phone = $('#phone'); 16 var $phone = $('#phone');
17 var addressForm = $('.form-group-address'); 17 var addressForm = $('.form-group-address');
18 -var currentLength = $('.a-table').find('tr').length - 1;// 当前地址条数  
19 -var leftLength = 7 - currentLength;// 还剩地址条数  
20 -var reg = new RegExp(/^(0|86|17951)?(13[0-9]|15[012356789]|17[678]|18[0-9]|14[57])[0-9]{8}$/);// 手机号码校验 18 +var currentLength = $('.a-table').find('tr').length - 1; // 当前地址条数
  19 +var leftLength = 7 - currentLength; // 还剩地址条数
  20 +var reg = new RegExp(/^(0|86|17951)?(13[0-9]|15[012356789]|17[678]|18[0-9]|14[57])[0-9]{8}$/); // 手机号码校验
21 21
22 require('./me'); 22 require('./me');
23 require('../plugins/check'); 23 require('../plugins/check');
@@ -26,7 +26,9 @@ require('yoho-jquery-placeholder'); @@ -26,7 +26,9 @@ require('yoho-jquery-placeholder');
26 $('[placeholder]').placeholder(); 26 $('[placeholder]').placeholder();
27 27
28 $(function() { 28 $(function() {
29 - var address = cascadingAddress({el: '#address'}); 29 + var address = cascadingAddress({
  30 + el: '#address'
  31 + });
30 32
31 /** 33 /**
32 * 公共方法 34 * 公共方法
@@ -61,14 +63,14 @@ $(function() { @@ -61,14 +63,14 @@ $(function() {
61 63
62 info.consignee === '' ? $consignee.next().show() : $consignee.next().hide(); 64 info.consignee === '' ? $consignee.next().show() : $consignee.next().hide();
63 info.address === '' ? $address.next().show() : $address.next().hide(); 65 info.address === '' ? $address.next().show() : $address.next().hide();
64 - typeof (info.area_code) === 'undefined' ?  
65 - addressForm.css('margin-bottom', '20px').find('.error-tips').show() : 66 + typeof(info.area_code) === 'undefined' ?
  67 + addressForm.css('margin-bottom', '20px').find('.error-tips').show():
66 addressForm.css('margin-bottom', '70px').find('.error-tips').hide(); 68 addressForm.css('margin-bottom', '70px').find('.error-tips').hide();
67 if (info.id) { 69 if (info.id) {
68 info.mobile === '' ? $mobile.next().show() : $mobile.next().hide(); 70 info.mobile === '' ? $mobile.next().show() : $mobile.next().hide();
69 71
70 if (info.consignee === '' || info.address === '' || info.mobile === '' || 72 if (info.consignee === '' || info.address === '' || info.mobile === '' ||
71 - typeof (info.area_code) === 'undefined') { 73 + typeof(info.area_code) === 'undefined') {
72 flag = false; 74 flag = false;
73 } 75 }
74 return flag; 76 return flag;
@@ -77,7 +79,7 @@ $(function() { @@ -77,7 +79,7 @@ $(function() {
77 (!reg.test(info.mobile) ? $mobile.next().html('手机号码格式不对').show() : $mobile.next().hide()); 79 (!reg.test(info.mobile) ? $mobile.next().html('手机号码格式不对').show() : $mobile.next().hide());
78 80
79 if (info.consignee === '' || info.address === '' || info.mobile === '' || !reg.test(info.mobile) || 81 if (info.consignee === '' || info.address === '' || info.mobile === '' || !reg.test(info.mobile) ||
80 - typeof (info.area_code) === 'undefined') { 82 + typeof(info.area_code) === 'undefined') {
81 flag = false; 83 flag = false;
82 } 84 }
83 return flag; 85 return flag;
@@ -144,7 +146,7 @@ $(function() { @@ -144,7 +146,7 @@ $(function() {
144 146
145 if (Bll.check(info) === true) { 147 if (Bll.check(info) === true) {
146 148
147 - console.log(info.id); 149 + // console.log(info.id);
148 150
149 // 新增 151 // 新增
150 if (info.id === '') { 152 if (info.id === '') {
@@ -292,8 +294,11 @@ $(function() { @@ -292,8 +294,11 @@ $(function() {
292 $(this).find('.set').css('display', 'inline-block'); 294 $(this).find('.set').css('display', 'inline-block');
293 }); 295 });
294 296
295 - $('.table-body').on('mouseout',function(){  
296 - var tmpset=$(this).find('.set');  
297 - if(tmpset.css('display')== 'inline-block')tmpset.hide(); 297 + $('.table-body').on('mouseout', function() {
  298 + var tmpset = $(this).find('.set');
  299 +
  300 + if (tmpset.css('display') === 'inline-block') {
  301 + tmpset.hide();
  302 + }
298 }); 303 });
299 -}); 304 +});
@@ -53,7 +53,7 @@ function setExchangeEepress(eid, num) { @@ -53,7 +53,7 @@ function setExchangeEepress(eid, num) {
53 number: num 53 number: num
54 }, 54 },
55 success: function(data) { 55 success: function(data) {
56 - console.log(data); 56 + // console.log(data);
57 if (data.code === 200) { 57 if (data.code === 200) {
58 location.reload(); 58 location.reload();
59 } 59 }
@@ -81,8 +81,8 @@ $showExpress.on('click', '.reset-express', function() { @@ -81,8 +81,8 @@ $showExpress.on('click', '.reset-express', function() {
81 $editExpress.removeClass('hide'); 81 $editExpress.removeClass('hide');
82 }); 82 });
83 83
84 -console.log($('.reason-info').find('span').text().length); 84 +//console.log($('.reason-info').find('span').text().length);
85 85
86 if (remark <= 5) { 86 if (remark <= 5) {
87 $('.reason-info').hide(); 87 $('.reason-info').hide();
88 -} 88 +}
@@ -7,11 +7,11 @@ var dialog = require('../../plugins/dialog'); @@ -7,11 +7,11 @@ var dialog = require('../../plugins/dialog');
7 var _alert = dialog.Alert; 7 var _alert = dialog.Alert;
8 var regValidate = require('../../passport/common/mail-phone-regx'); 8 var regValidate = require('../../passport/common/mail-phone-regx');
9 var types = location.pathname.split('/'); 9 var types = location.pathname.split('/');
10 -var type = types[types.length - 1];// 界面操作类型 10 +var type = types[types.length - 1]; // 界面操作类型
11 var $imgCaptchaInput = $('#captcha'); 11 var $imgCaptchaInput = $('#captcha');
12 var second = 60; 12 var second = 60;
13 -var $sms = $('#send-code2');// 发送短信验证码按钮  
14 -var area = $('#country-code').text().substring(1) || '86';// 地区码 13 +var $sms = $('#send-code2'); // 发送短信验证码按钮
  14 +var area = $('#country-code').text().substring(1) || '86'; // 地区码
15 // 发送短信后倒计时显示 15 // 发送短信后倒计时显示
16 var disableSMSBtn = function() { 16 var disableSMSBtn = function() {
17 second -= 1; 17 second -= 1;
@@ -126,13 +126,15 @@ $('#mobile-step2').click(function() { @@ -126,13 +126,15 @@ $('#mobile-step2').click(function() {
126 data: { 126 data: {
127 code: code, 127 code: code,
128 mobile: mobile, 128 mobile: mobile,
129 - area: area 129 + area: area,
  130 + type: type,
  131 + _csrf: $('#checkCode').val()
130 }, 132 },
131 success: function(data) { 133 success: function(data) {
132 if (data.code === 200) { 134 if (data.code === 200) {
133 self.find('.tips-success').addClass('ok').show(); 135 self.find('.tips-success').addClass('ok').show();
134 self.find('.tips-error').removeClass('notok').hide(); 136 self.find('.tips-error').removeClass('notok').hide();
135 - location.href = '/me/setting/step3/' + type + '?checkCode=' + $('#checkCode').val(); 137 + location.href = '/me/setting/step3/' + type;
136 } else { 138 } else {
137 new _alert(data.message).show(); 139 new _alert(data.message).show();
138 self.find('.tips-success').removeClass('ok').hide(); 140 self.find('.tips-success').removeClass('ok').hide();
@@ -190,11 +192,13 @@ $('#step2-pwd').click(function() { @@ -190,11 +192,13 @@ $('#step2-pwd').click(function() {
190 type: 'POST', 192 type: 'POST',
191 url: '/me/setting/step2/password', 193 url: '/me/setting/step2/password',
192 data: { 194 data: {
193 - password: password 195 + password: password,
  196 + type: type,
  197 + _csrf: $('#checkCode').val()
194 }, 198 },
195 success: function(data) { 199 success: function(data) {
196 if (data.code === 200) { 200 if (data.code === 200) {
197 - location.href = '/me/setting/step3/' + type + '?checkCode=' + $('#checkCode').val(); 201 + location.href = '/me/setting/step3/' + type;
198 } else { 202 } else {
199 new _alert(data.message).show(); 203 new _alert(data.message).show();
200 } 204 }
@@ -202,4 +206,4 @@ $('#step2-pwd').click(function() { @@ -202,4 +206,4 @@ $('#step2-pwd').click(function() {
202 }); 206 });
203 } 207 }
204 208
205 -}); 209 +});
@@ -7,14 +7,14 @@ var $imgCaptchaInput = $('#captcha'); @@ -7,14 +7,14 @@ var $imgCaptchaInput = $('#captcha');
7 var dialog = require('../../plugins/dialog'); 7 var dialog = require('../../plugins/dialog');
8 var _alert = dialog.Alert; 8 var _alert = dialog.Alert;
9 var types = location.pathname.split('/'); 9 var types = location.pathname.split('/');
10 -var type = types[types.length - 1];// 界面操作类型 10 +var type = types[types.length - 1]; // 界面操作类型
11 var area = $('#country-code').text().substring(1) || '86'; 11 var area = $('#country-code').text().substring(1) || '86';
12 12
13 /** 13 /**
14 * 手机号码验证 14 * 手机号码验证
15 */ 15 */
16 var second = 60; 16 var second = 60;
17 -var $sms = $('#send-code');// 发送短信验证码按钮 17 +var $sms = $('#send-code'); // 发送短信验证码按钮
18 // 发送短信后倒计时显示 18 // 发送短信后倒计时显示
19 var disableSMSBtn = function() { 19 var disableSMSBtn = function() {
20 second -= 1; 20 second -= 1;
@@ -71,11 +71,13 @@ $('#mobile-step1').click(function() { @@ -71,11 +71,13 @@ $('#mobile-step1').click(function() {
71 data: { 71 data: {
72 code: code, 72 code: code,
73 mobile: mobile, 73 mobile: mobile,
74 - area: area 74 + area: area,
  75 + type: type,
  76 + _csrf: $('#checkCode').val()
75 }, 77 },
76 success: function(data) { 78 success: function(data) {
77 if (data.code === 200) { 79 if (data.code === 200) {
78 - location.href = '/me/setting/step2/' + type + '?checkCode=' + $('#checkCode').val(); 80 + location.href = '/me/setting/step2/' + type;
79 } else { 81 } else {
80 // location.href = '/me/setting/step2/' + type + "?checkCode=" + $("#checkCode").val(); 82 // location.href = '/me/setting/step2/' + type + "?checkCode=" + $("#checkCode").val();
81 new _alert('验证码不正确!').show(); 83 new _alert('验证码不正确!').show();
@@ -127,11 +129,13 @@ $('#pwd-step1').click(function() { @@ -127,11 +129,13 @@ $('#pwd-step1').click(function() {
127 type: 'POST', 129 type: 'POST',
128 url: '/me/setting/step1/password', 130 url: '/me/setting/step1/password',
129 data: { 131 data: {
130 - password: password 132 + password: password,
  133 + type: type,
  134 + _csrf: $('#checkCode').val()
131 }, 135 },
132 success: function(data) { 136 success: function(data) {
133 if (data.code === 200) { 137 if (data.code === 200) {
134 - location.href = '/me/setting/step2/' + type + '?checkCode=' + $('#checkCode').val(); 138 + location.href = '/me/setting/step2/' + type;
135 } else { 139 } else {
136 new _alert('登录密码校验错误!').show(); 140 new _alert('登录密码校验错误!').show();
137 } 141 }
@@ -151,7 +155,9 @@ $('#email-step1').click(function() { @@ -151,7 +155,9 @@ $('#email-step1').click(function() {
151 type: 'POST', 155 type: 'POST',
152 url: '/me/setting/step1/email', 156 url: '/me/setting/step1/email',
153 data: { 157 data: {
154 - email: $('#real-email').val() 158 + email: $('#real-email').val(),
  159 + type: type,
  160 + _csrf: $('#checkCode').val()
155 }, 161 },
156 success: function(data) { 162 success: function(data) {
157 // todo 发送邮件 163 // todo 发送邮件
@@ -166,4 +172,4 @@ $('#email-step1').click(function() { @@ -166,4 +172,4 @@ $('#email-step1').click(function() {
166 } 172 }
167 }); 173 });
168 } 174 }
169 -}); 175 +});
@@ -75,7 +75,7 @@ function shareBase(options) { @@ -75,7 +75,7 @@ function shareBase(options) {
75 75
76 if (sharebox.length > 0) { 76 if (sharebox.length > 0) {
77 shareCon = '<i class="top"></i><div class="con"><p class="pic"><img src="' + 77 shareCon = '<i class="top"></i><div class="con"><p class="pic"><img src="' +
78 - openUrl + '" /></p><h2>分享到微信朋友圈</h2><p class="w">打开微信使用“扫一扫“<br/>即可将网页分享到我的朋友圈。</p></div>'; 78 + openUrl + '" /></p><h2>分享到微信朋友圈</h2><p class="w">打开微信使用“扫一扫“<br/>即可将网页分享到我的朋友圈。</p></div>';
79 sharebox.find('div').length > 0 ? sharebox.show() : sharebox.html(shareCon).show(); 79 sharebox.find('div').length > 0 ? sharebox.show() : sharebox.html(shareCon).show();
80 } 80 }
81 } else { 81 } else {
@@ -123,6 +123,6 @@ $('.weixin').mouseenter(function() { @@ -123,6 +123,6 @@ $('.weixin').mouseenter(function() {
123 }); 123 });
124 124
125 $('.weixin').mouseleave(function() { 125 $('.weixin').mouseleave(function() {
126 - console.log(2); 126 + // console.log(2);
127 $('.weixin-share-box').hide(); 127 $('.weixin-share-box').hide();
128 -}); 128 +});
  1 +'use strict';
  2 +
  3 +const re = new RegExp('(\r\n)|[&"\'<>]', 'g');
  4 +const htmlEntity = {
  5 + '&amp;': '\u0026',
  6 + '&quot;': '\u0022',
  7 + '&apos;': '\u0027',
  8 + '&lt;': '\u003c',
  9 + '&gt;': '\u003e'
  10 +};
  11 +
  12 +exports.htmlDecode = function(txt) {
  13 + txt = txt || '';
  14 + return txt.replace(/((&(([a-z][a-z0-9]*)|(#[0-9]+)|(#x[0-9a-f]+));)|["'<>&])/gi, function(s) {
  15 + s = s || '';
  16 + const s1 = htmlEntity[s.toLowerCase()];
  17 +
  18 + if (s1) {
  19 + s = s1;
  20 + }
  21 +
  22 + return s;
  23 + });
  24 +};
  25 +
  26 +exports.htmlEncode = function(str) {
  27 + str = str || '';
  28 + return str.replace(re, function(s) {
  29 + switch (s) {
  30 + case '&':
  31 + return '&amp;';
  32 + case '"':
  33 + return '&quot;';
  34 + case '\'':
  35 + return '&apos;';
  36 + case '<':
  37 + return '&lt;';
  38 + case '>':
  39 + return '&gt;';
  40 + default:
  41 + return s;
  42 + }
  43 + });
  44 +};