Merge remote-tracking branch 'origin/hotfix/0905-xss' into release/0906

yyq
Commit 2f65279a58788b7829ece4b715025a713ef0dcf5 2 parents 47de66a7 bfd3afa1
Showing 10 changed files with 41 additions and 16 deletions
apps/cart/views/action/order-ensure.hbs
apps/home/views/action/home/address/address.hbs
apps/home/views/action/home/orders/order-detail.hbs
apps/shopping/views/action/pay.hbs
doraemon/views/partial/common/simple-header.hbs
public/js/cart/order/address.js
public/js/cart/order/invoice.js
public/js/header.js
public/js/simple-header.js
utils/helpers.js
--- a/apps/cart/views/action/order-ensure.hbs
View file @2f65279
+++ b/apps/cart/views/action/order-ensure.hbs
View file @2f65279
@@ -12,11 +12,11 @@
                 {{# deliveryAddress}}
                     <div class="addr-item{{#isY is_default}} addr-default{{/isY}}{{#if selected}} addr-select{{/if}}" data-id="{{id}}" data-consignee="{{consignee}}" data-mobile="{{mobile}}" data-phone="{{phone}}" data-area="{{area}}" data-code="{{area_code}}" data-address="{{address}}"{{#isY is_default}} data-default="1"{{/isY}}{{#isY is_support}} data-delivery="1"{{/isY}}{{#isY is_cash_delivery}} data-cashdelivery="1"{{/isY}}>
                         <p class="name">
-                             {{{consignee}}}
+                             {{{htmlEncode consignee}}}
                             <span class="right">{{mobile}}</span>
                         </p>
                         <p class="area">{{area}}</p>
-                         <p class="street fw300">{{{address}}}</p>
+                         <p class="street fw300">{{{htmlEncode address}}}</p>
                         <p class="option">
                             <label class="set-default">设为默认</label>
                             <label class="default-tip">默认地址</label>
--- a/apps/home/views/action/home/address/address.hbs
View file @2f65279
+++ b/apps/home/views/action/home/address/address.hbs
View file @2f65279
@@ -14,9 +14,9 @@
                         {{#each addressList}}                        
                         <li class="address-content {{#if isPreferred}}preferred{{/if}}" addressId={{id}}>
                             <div class="address-detail">
-                                 <strong>收货人：{{{addressee}}}</strong>
+                                 <strong>收货人：{{{htmlEncode addressee}}}</strong>
                                 <br>
-                                 收货地址：{{{address}}}
+                                 收货地址：{{{htmlEncode address}}}
                                 <br>
                                 联系电话：{{phone}}
                                 <br>
--- a/apps/home/views/action/home/orders/order-detail.hbs
View file @2f65279
+++ b/apps/home/views/action/home/orders/order-detail.hbs
View file @2f65279
@@ -103,14 +103,14 @@
                     </p>
                     <div class="content">
                         {{#if normal}}
-                             <p>收货人：{{{receiver}}}</p>
-                             <p>收货地址：{{{address}}}</p>
+                             <p>收货人：{{{htmlEncode receiver}}}</p>
+                             <p>收货地址：{{{htmlEncode address}}}</p>
                             <p>联系电话：{{phone}}</p>
                         {{/if}}
 
                         {{#if offlineByExpress}}
-                             <p>收货人：{{{receiver}}}</p>
-                             <p>收货地址：{{{address}}}</p>
+                             <p>收货人：{{{htmlEncode receiver}}}</p>
+                             <p>收货地址：{{{htmlEncode address}}}</p>
                             <p>联系电话：{{phone}}</p>
                             <p>下单门店：{{offlineStore}}</p>
 
@@ -135,7 +135,7 @@
                             {{#if pdfUrl}}<a class="invoice-button" href="{{pdfUrl}}">电子发票下载</a>
                             {{/if}}
                             </div>
-                         <p>发票抬头：{{title}}</p>
+                         <p>发票抬头：{{{title}}}</p>
                         {{^}}
                         <p>暂不需要发票
                         {{/if}}
--- a/apps/shopping/views/action/pay.hbs
View file @2f65279
+++ b/apps/shopping/views/action/pay.hbs
View file @2f65279
@@ -13,7 +13,7 @@
                 <h2>您的订单已成功，现在就去付款吧～</h2>
                 <h3>您的订单号：<strong class="order-num">{{order_code}}</strong> 应付金额：<strong>{{payment_amount}}</strong>元 &nbsp; &nbsp;
                     支付方式：在线支付 &nbsp; &nbsp; &nbsp; 送货时间：{{deliveryTimes}}</h3>
-                 <h4>{{{../username}}},如果2小时内您无法完成付款，系统会将您的订单取消。</h4>
+                 <h4>{{{htmlEncode ../username}}},如果2小时内您无法完成付款，系统会将您的订单取消。</h4>
             </div>
         {{/order}}
 
--- a/doraemon/views/partial/common/simple-header.hbs
View file @2f65279
+++ b/doraemon/views/partial/common/simple-header.hbs
View file @2f65279
@@ -13,7 +13,7 @@
             <li>
                 <span>Hi~</span>
                 {{# user}}
-                 <a href="{{userCenter}}">{{.}}</a>
+                 <a href="{{userCenter}}">{{htmlEncode .}}</a>
                 {{/ user}}
 
                 {{# loginHref}}
--- a/public/js/cart/order/address.js
View file @2f65279
+++ b/public/js/cart/order/address.js
View file @2f65279
@@ -10,6 +10,7 @@ var $ = require('yoho-jquery'),
     dialog = require('../../common/dialog');
 
 var stringHandle = require('../../common/stringHandle');
+ var cleanHtml = require('../../../../utils/cleanHtml');
 
 var Dialog = dialog.Dialog,
     Confirm = dialog.Confirm,
@@ -234,8 +235,8 @@ function setShowDeliveryAddr(data) {
             $supportWay2.val(data.delivery ? 1 : 0).change();
         }, 0);
 
-         _h = '寄送至：' + data.area + '&nbsp;&nbsp;&nbsp;&nbsp;' + data.address +
-             '<br>收货人：' + data.consignee + '&nbsp;&nbsp;&nbsp;&nbsp;' + data.mobile;
+         _h = '寄送至：' + data.area + '&nbsp;&nbsp;&nbsp;&nbsp;' + cleanHtml.htmlEncode(data.address) +
+             '<br>收货人：' + cleanHtml.htmlEncode(data.consignee) + '&nbsp;&nbsp;&nbsp;&nbsp;' + data.mobile;
     }
     $deliveryAddr.html(_h);
 }
--- a/public/js/cart/order/invoice.js
View file @2f65279
+++ b/public/js/cart/order/invoice.js
View file @2f65279
@@ -8,6 +8,7 @@ var $ = require('yoho-jquery');
 
 var yas = require('../../common/data-yas');
 var Dialog = require('../../common/dialog').Dialog;
+ var cleanHtml = require('../../../../utils/cleanHtml');
 
 var $invoiceRadio = $('#invoice-radio');
 
@@ -143,7 +144,7 @@ function setShowInvoiceInfo() {
         _h += '电子发票';
     }
 
-     _h += '&nbsp;&nbsp;&nbsp;&nbsp;' + invoiceInfo.titleName;
+     _h += '&nbsp;&nbsp;&nbsp;&nbsp;' + cleanHtml.htmlEncode(invoiceInfo.titleName);
 
     $dom.removeClass('hide').find('span').html(_h);
 }
--- a/public/js/header.js
View file @2f65279
+++ b/public/js/header.js
View file @2f65279
@@ -10,6 +10,8 @@ var $tool = $('.tool-wrapper'),
     $yohoGroup = $tool.find('.yoho-group'),
     $loginBox = $('#loginBox');
 
+ var cleanHtml = require('../../utils/cleanHtml');
+ 
 var $head = $('.head-wrapper'),
     $searchForm = $('#search-form'),
     $searchKey = $searchForm.find('.search-key'),
@@ -283,6 +285,7 @@ function updateLoginInfo(data) {
         data.vip3 = true;
     }
 
+     data.profileName = cleanHtml.htmlEncode(data.profileName);
     $tool.find('.simple-user-center').html(centerFn(data));
 }
 
@@ -608,7 +611,7 @@ cartTimer = setInterval(syncCratInfo, 2000); // 定时同步购物车数量
 
     var info = {
         usercenter: '//www.yohobuy.com/home?t=' + new Date().getTime(),
-         nickname: profileName,
+         nickname: cleanHtml.htmlEncode(profileName),
         signout: '//www.yohobuy.com/logout.html'
     };
 
--- a/public/js/simple-header.js
View file @2f65279
+++ b/public/js/simple-header.js
View file @2f65279
 var $ = require('yoho-jquery');
 
 var $apiDom = $('#api-domain');
+ var cleanHtml = require('../../utils/cleanHtml');
 
 require('./common');
 
@@ -57,7 +58,7 @@ function formatUsernName(userName) {
             name += '...';
         }
     }
-     return name;
+     return cleanHtml.htmlEncode(name);
 }
 
 /**
--- a/utils/helpers.js
View file @2f65279
+++ b/utils/helpers.js
View file @2f65279
@@ -83,5 +83,24 @@ module.exports = {
         } else {
             return opt.inverse(this);
         }
+     },
+     htmlEncode: function(str) {
+         const re = /(\r\n)|["\'<>]/g;
+ 
+         str = str || '';
+         return str.replace(re, function(s) {
+             switch (s) {
+                 case '"':
+                     return '&quot;';
+                 case '\'':
+                     return '&apos;';
+                 case '<':
+                     return '&lt;';
+                 case '>':
+                     return '&gt;';
+                 default:
+                     return s;
+             }
+         });
     }
 };