fe / yoho-blk · Commits

Go to a project

Authored by 王水玲
Commit d38b0a6310bf644a0e48c4298fa42f4c422d9d80 1 parent 21a19543

xss 搜索漏洞

Inline Side-by-side
Showing 3 changed files with 12 additions and 45 deletions
... ... @@ -9,6 +9,7 @@
const editorialModel = require('../models/editorial');
const md5 = require('md5');
const config = global.yoho.config;
const helper = global.yoho.helpers;
/**
* 资讯首页数据
... ... @@ -83,7 +84,7 @@ const index = (req, res, next) => {
const list = (req, res, next) => {
let pageNum = req.query.page || 1;
let limit = req.query.limit || 20;
let tag = req.query.query;
let tag = helper.xssHtml(req.query.query);
let authorId = req.query.authorId;
let udid = md5(req.ip);
let channel = req.cookies._Channel || 'men';
... ... @@ -132,10 +133,10 @@ const list = (req, res, next) => {
},
{
pathTitle: '资讯',
name: req.query.query || result.authorName
name: tag || result.authorName
}
],
pathTitle: req.query.query || result.authorName,
pathTitle: tag || result.authorName,
msg: result.tabs,
paginationOpts: {
page: pageNum, // current page: //host/?page=2
... ...
... ... @@ -21,7 +21,6 @@ const config = global.yoho.config;
const helpers = global.yoho.helpers;
const cookie = global.yoho.cookie;
const logger = global.yoho.logger;
const cache = global.yoho.cache;
let siteUrl = config.siteUrl.indexOf('//') === 0 ? 'http:' + config.siteUrl : config.siteUrl;
... ... @@ -62,53 +61,19 @@ passport.use('local', new LocalStrategy({
let shoppingKey = cookie.getShoppingKey(req);
let account = req.body.account;
let errorLoginKey = 'account_errorlogin_' + account;
let accountKey = 'account_signin_' + account;
let cacheGet = [cache.get(errorLoginKey), cache.get(accountKey)];
Promise.all(cacheGet).then(times => {
let errLoginTimes = _.parseInt(times[0]) || 0;
let accountTimes = _.parseInt(times[1]) || 0;
if (accountTimes >= 10) {
done({ message: '您的账号已被暂时锁定,请30分钟后再试' }, null);
return LoginService.signin(type, area, username, password, shoppingKey, req).then((result) => {
if (result.code && result.code === 200 && result.data.uid) {
done(null, result.data);
} else {
return LoginService.signin(type, area, username, password, shoppingKey, req).then((result) => {
if (result.code && result.code === 200 && result.data.uid) {
cache.del(errorLoginKey);
done(null, result.data);
} else {
errLoginTimes = errLoginTimes + 1;
accountTimes = accountTimes + 1;
cache.set(errorLoginKey, errLoginTimes);
cache.set(accountKey, accountTimes, 1800);
// 再次校验
if (accountTimes >= 10) {
done({message: '您的账号已被暂时锁定,请稍后再试'}, null);
} else if (errLoginTimes >= 3) {
done({
message: '请输入正确的账号或密码',
needCaptcha: true
});
} else {
done({
message: '请输入正确的账号或密码',
needCaptcha: false
});
}
}
done({
message: '请输入正确的账号或密码',
needCaptcha: true
});
}
}).catch(e => {
logger.error('call the signin service fail,', e);
done('登录失败,请稍后重试', null);
});
}));
/**
... ...
... ... @@ -11,11 +11,12 @@
const _ = require('lodash');
const Search = require('../models/search');
const DataHelper = require('../models/helpers');
const helper = global.yoho.helpers;
const Query = {
index: (req, res, next) => {
let q = req.query;
let query = q.query || '';
let query = helper.xssHtml(q.query) || '';
let channel = req.query._Channel || req.cookies._Channel || 'men';
q.page = parseInt(q.page || 1, 10);
... ...