Merge remote-tracking branch 'origin/hotfix/0905-xss' into release/0906
Showing
10 changed files
with
41 additions
and
16 deletions
| @@ -12,11 +12,11 @@ | @@ -12,11 +12,11 @@ | ||
| 12 | {{# deliveryAddress}} | 12 | {{# deliveryAddress}} |
| 13 | <div class="addr-item{{#isY is_default}} addr-default{{/isY}}{{#if selected}} addr-select{{/if}}" data-id="{{id}}" data-consignee="{{consignee}}" data-mobile="{{mobile}}" data-phone="{{phone}}" data-area="{{area}}" data-code="{{area_code}}" data-address="{{address}}"{{#isY is_default}} data-default="1"{{/isY}}{{#isY is_support}} data-delivery="1"{{/isY}}{{#isY is_cash_delivery}} data-cashdelivery="1"{{/isY}}> | 13 | <div class="addr-item{{#isY is_default}} addr-default{{/isY}}{{#if selected}} addr-select{{/if}}" data-id="{{id}}" data-consignee="{{consignee}}" data-mobile="{{mobile}}" data-phone="{{phone}}" data-area="{{area}}" data-code="{{area_code}}" data-address="{{address}}"{{#isY is_default}} data-default="1"{{/isY}}{{#isY is_support}} data-delivery="1"{{/isY}}{{#isY is_cash_delivery}} data-cashdelivery="1"{{/isY}}> |
| 14 | <p class="name"> | 14 | <p class="name"> |
| 15 | - {{{consignee}}} | 15 | + {{{htmlEncode consignee}}} |
| 16 | <span class="right">{{mobile}}</span> | 16 | <span class="right">{{mobile}}</span> |
| 17 | </p> | 17 | </p> |
| 18 | <p class="area">{{area}}</p> | 18 | <p class="area">{{area}}</p> |
| 19 | - <p class="street fw300">{{{address}}}</p> | 19 | + <p class="street fw300">{{{htmlEncode address}}}</p> |
| 20 | <p class="option"> | 20 | <p class="option"> |
| 21 | <label class="set-default">设为默认</label> | 21 | <label class="set-default">设为默认</label> |
| 22 | <label class="default-tip">默认地址</label> | 22 | <label class="default-tip">默认地址</label> |
| @@ -14,9 +14,9 @@ | @@ -14,9 +14,9 @@ | ||
| 14 | {{#each addressList}} | 14 | {{#each addressList}} |
| 15 | <li class="address-content {{#if isPreferred}}preferred{{/if}}" addressId={{id}}> | 15 | <li class="address-content {{#if isPreferred}}preferred{{/if}}" addressId={{id}}> |
| 16 | <div class="address-detail"> | 16 | <div class="address-detail"> |
| 17 | - <strong>收货人:{{{addressee}}}</strong> | 17 | + <strong>收货人:{{{htmlEncode addressee}}}</strong> |
| 18 | <br> | 18 | <br> |
| 19 | - 收货地址:{{{address}}} | 19 | + 收货地址:{{{htmlEncode address}}} |
| 20 | <br> | 20 | <br> |
| 21 | 联系电话:{{phone}} | 21 | 联系电话:{{phone}} |
| 22 | <br> | 22 | <br> |
| @@ -103,14 +103,14 @@ | @@ -103,14 +103,14 @@ | ||
| 103 | </p> | 103 | </p> |
| 104 | <div class="content"> | 104 | <div class="content"> |
| 105 | {{#if normal}} | 105 | {{#if normal}} |
| 106 | - <p>收货人:{{{receiver}}}</p> | ||
| 107 | - <p>收货地址:{{{address}}}</p> | 106 | + <p>收货人:{{{htmlEncode receiver}}}</p> |
| 107 | + <p>收货地址:{{{htmlEncode address}}}</p> | ||
| 108 | <p>联系电话:{{phone}}</p> | 108 | <p>联系电话:{{phone}}</p> |
| 109 | {{/if}} | 109 | {{/if}} |
| 110 | 110 | ||
| 111 | {{#if offlineByExpress}} | 111 | {{#if offlineByExpress}} |
| 112 | - <p>收货人:{{{receiver}}}</p> | ||
| 113 | - <p>收货地址:{{{address}}}</p> | 112 | + <p>收货人:{{{htmlEncode receiver}}}</p> |
| 113 | + <p>收货地址:{{{htmlEncode address}}}</p> | ||
| 114 | <p>联系电话:{{phone}}</p> | 114 | <p>联系电话:{{phone}}</p> |
| 115 | <p>下单门店:{{offlineStore}}</p> | 115 | <p>下单门店:{{offlineStore}}</p> |
| 116 | 116 | ||
| @@ -135,7 +135,7 @@ | @@ -135,7 +135,7 @@ | ||
| 135 | {{#if pdfUrl}}<a class="invoice-button" href="{{pdfUrl}}">电子发票下载</a> | 135 | {{#if pdfUrl}}<a class="invoice-button" href="{{pdfUrl}}">电子发票下载</a> |
| 136 | {{/if}} | 136 | {{/if}} |
| 137 | </div> | 137 | </div> |
| 138 | - <p>发票抬头:{{title}}</p> | 138 | + <p>发票抬头:{{{title}}}</p> |
| 139 | {{^}} | 139 | {{^}} |
| 140 | <p>暂不需要发票 | 140 | <p>暂不需要发票 |
| 141 | {{/if}} | 141 | {{/if}} |
| @@ -13,7 +13,7 @@ | @@ -13,7 +13,7 @@ | ||
| 13 | <h2>您的订单已成功,现在就去付款吧~</h2> | 13 | <h2>您的订单已成功,现在就去付款吧~</h2> |
| 14 | <h3>您的订单号:<strong class="order-num">{{order_code}}</strong> 应付金额:<strong>{{payment_amount}}</strong>元 | 14 | <h3>您的订单号:<strong class="order-num">{{order_code}}</strong> 应付金额:<strong>{{payment_amount}}</strong>元 |
| 15 | 支付方式:在线支付 送货时间:{{deliveryTimes}}</h3> | 15 | 支付方式:在线支付 送货时间:{{deliveryTimes}}</h3> |
| 16 | - <h4>{{{../username}}},如果2小时内您无法完成付款,系统会将您的订单取消。</h4> | 16 | + <h4>{{{htmlEncode ../username}}},如果2小时内您无法完成付款,系统会将您的订单取消。</h4> |
| 17 | </div> | 17 | </div> |
| 18 | {{/order}} | 18 | {{/order}} |
| 19 | 19 |
| @@ -10,6 +10,7 @@ var $ = require('yoho-jquery'), | @@ -10,6 +10,7 @@ var $ = require('yoho-jquery'), | ||
| 10 | dialog = require('../../common/dialog'); | 10 | dialog = require('../../common/dialog'); |
| 11 | 11 | ||
| 12 | var stringHandle = require('../../common/stringHandle'); | 12 | var stringHandle = require('../../common/stringHandle'); |
| 13 | +var cleanHtml = require('../../../../utils/cleanHtml'); | ||
| 13 | 14 | ||
| 14 | var Dialog = dialog.Dialog, | 15 | var Dialog = dialog.Dialog, |
| 15 | Confirm = dialog.Confirm, | 16 | Confirm = dialog.Confirm, |
| @@ -234,8 +235,8 @@ function setShowDeliveryAddr(data) { | @@ -234,8 +235,8 @@ function setShowDeliveryAddr(data) { | ||
| 234 | $supportWay2.val(data.delivery ? 1 : 0).change(); | 235 | $supportWay2.val(data.delivery ? 1 : 0).change(); |
| 235 | }, 0); | 236 | }, 0); |
| 236 | 237 | ||
| 237 | - _h = '寄送至:' + data.area + ' ' + data.address + | ||
| 238 | - '<br>收货人:' + data.consignee + ' ' + data.mobile; | 238 | + _h = '寄送至:' + data.area + ' ' + cleanHtml.htmlEncode(data.address) + |
| 239 | + '<br>收货人:' + cleanHtml.htmlEncode(data.consignee) + ' ' + data.mobile; | ||
| 239 | } | 240 | } |
| 240 | $deliveryAddr.html(_h); | 241 | $deliveryAddr.html(_h); |
| 241 | } | 242 | } |
| @@ -8,6 +8,7 @@ var $ = require('yoho-jquery'); | @@ -8,6 +8,7 @@ var $ = require('yoho-jquery'); | ||
| 8 | 8 | ||
| 9 | var yas = require('../../common/data-yas'); | 9 | var yas = require('../../common/data-yas'); |
| 10 | var Dialog = require('../../common/dialog').Dialog; | 10 | var Dialog = require('../../common/dialog').Dialog; |
| 11 | +var cleanHtml = require('../../../../utils/cleanHtml'); | ||
| 11 | 12 | ||
| 12 | var $invoiceRadio = $('#invoice-radio'); | 13 | var $invoiceRadio = $('#invoice-radio'); |
| 13 | 14 | ||
| @@ -143,7 +144,7 @@ function setShowInvoiceInfo() { | @@ -143,7 +144,7 @@ function setShowInvoiceInfo() { | ||
| 143 | _h += '电子发票'; | 144 | _h += '电子发票'; |
| 144 | } | 145 | } |
| 145 | 146 | ||
| 146 | - _h += ' ' + invoiceInfo.titleName; | 147 | + _h += ' ' + cleanHtml.htmlEncode(invoiceInfo.titleName); |
| 147 | 148 | ||
| 148 | $dom.removeClass('hide').find('span').html(_h); | 149 | $dom.removeClass('hide').find('span').html(_h); |
| 149 | } | 150 | } |
| @@ -10,6 +10,8 @@ var $tool = $('.tool-wrapper'), | @@ -10,6 +10,8 @@ var $tool = $('.tool-wrapper'), | ||
| 10 | $yohoGroup = $tool.find('.yoho-group'), | 10 | $yohoGroup = $tool.find('.yoho-group'), |
| 11 | $loginBox = $('#loginBox'); | 11 | $loginBox = $('#loginBox'); |
| 12 | 12 | ||
| 13 | +var cleanHtml = require('../../utils/cleanHtml'); | ||
| 14 | + | ||
| 13 | var $head = $('.head-wrapper'), | 15 | var $head = $('.head-wrapper'), |
| 14 | $searchForm = $('#search-form'), | 16 | $searchForm = $('#search-form'), |
| 15 | $searchKey = $searchForm.find('.search-key'), | 17 | $searchKey = $searchForm.find('.search-key'), |
| @@ -283,6 +285,7 @@ function updateLoginInfo(data) { | @@ -283,6 +285,7 @@ function updateLoginInfo(data) { | ||
| 283 | data.vip3 = true; | 285 | data.vip3 = true; |
| 284 | } | 286 | } |
| 285 | 287 | ||
| 288 | + data.profileName = cleanHtml.htmlEncode(data.profileName); | ||
| 286 | $tool.find('.simple-user-center').html(centerFn(data)); | 289 | $tool.find('.simple-user-center').html(centerFn(data)); |
| 287 | } | 290 | } |
| 288 | 291 | ||
| @@ -608,7 +611,7 @@ cartTimer = setInterval(syncCratInfo, 2000); // 定时同步购物车数量 | @@ -608,7 +611,7 @@ cartTimer = setInterval(syncCratInfo, 2000); // 定时同步购物车数量 | ||
| 608 | 611 | ||
| 609 | var info = { | 612 | var info = { |
| 610 | usercenter: '//www.yohobuy.com/home?t=' + new Date().getTime(), | 613 | usercenter: '//www.yohobuy.com/home?t=' + new Date().getTime(), |
| 611 | - nickname: profileName, | 614 | + nickname: cleanHtml.htmlEncode(profileName), |
| 612 | signout: '//www.yohobuy.com/logout.html' | 615 | signout: '//www.yohobuy.com/logout.html' |
| 613 | }; | 616 | }; |
| 614 | 617 |
| 1 | var $ = require('yoho-jquery'); | 1 | var $ = require('yoho-jquery'); |
| 2 | 2 | ||
| 3 | var $apiDom = $('#api-domain'); | 3 | var $apiDom = $('#api-domain'); |
| 4 | +var cleanHtml = require('../../utils/cleanHtml'); | ||
| 4 | 5 | ||
| 5 | require('./common'); | 6 | require('./common'); |
| 6 | 7 | ||
| @@ -57,7 +58,7 @@ function formatUsernName(userName) { | @@ -57,7 +58,7 @@ function formatUsernName(userName) { | ||
| 57 | name += '...'; | 58 | name += '...'; |
| 58 | } | 59 | } |
| 59 | } | 60 | } |
| 60 | - return name; | 61 | + return cleanHtml.htmlEncode(name); |
| 61 | } | 62 | } |
| 62 | 63 | ||
| 63 | /** | 64 | /** |
| @@ -83,5 +83,24 @@ module.exports = { | @@ -83,5 +83,24 @@ module.exports = { | ||
| 83 | } else { | 83 | } else { |
| 84 | return opt.inverse(this); | 84 | return opt.inverse(this); |
| 85 | } | 85 | } |
| 86 | + }, | ||
| 87 | + htmlEncode: function(str) { | ||
| 88 | + const re = /(\r\n)|["\'<>]/g; | ||
| 89 | + | ||
| 90 | + str = str || ''; | ||
| 91 | + return str.replace(re, function(s) { | ||
| 92 | + switch (s) { | ||
| 93 | + case '"': | ||
| 94 | + return '"'; | ||
| 95 | + case '\'': | ||
| 96 | + return '''; | ||
| 97 | + case '<': | ||
| 98 | + return '<'; | ||
| 99 | + case '>': | ||
| 100 | + return '>'; | ||
| 101 | + default: | ||
| 102 | + return s; | ||
| 103 | + } | ||
| 104 | + }); | ||
| 86 | } | 105 | } |
| 87 | }; | 106 | }; |
-
Please register or login to post a comment