fe / yohobuy-node · Commits

Go to a project

Authored by 郝肖肖
Commit d05e17900290589f436d1c84b9c3f11d8426968b 1 parent adacd812

'news-xss'

Inline Side-by-side
Showing 6 changed files with 60 additions and 3 deletions
@@ -150,3 +150,4 @@ library @@ -150,3 +150,4 @@ library
150 ### foreman ### 150 ### foreman ###
151 Procfile 151 Procfile
152 .env 152 .env
  153 +.package-lock
@@ -14,6 +14,10 @@ exports.index = (req, res, next) => { @@ -14,6 +14,10 @@ exports.index = (req, res, next) => {
14 let channel = req.yoho.channel; 14 let channel = req.yoho.channel;
15 15
16 req.ctx(newsService).getIndexList(channel, req.query).then(result => { 16 req.ctx(newsService).getIndexList(channel, req.query).then(result => {
  17 + if (result.msgs.length <= 0) {
  18 + res.set('Cache-Control', 'no-cache');
  19 + }
  20 +
17 return res.render('news-index', Object.assign({ 21 return res.render('news-index', Object.assign({
18 title: '新闻 | ' + (res.locals.title || ''), 22 title: '新闻 | ' + (res.locals.title || ''),
19 module: 'news', 23 module: 'news',
@@ -4,7 +4,9 @@ const _ = require('lodash'); @@ -4,7 +4,9 @@ const _ = require('lodash');
4 const helpers = global.yoho.helpers; 4 const helpers = global.yoho.helpers;
5 const headerModel = require('../../../doraemon/models/header'); 5 const headerModel = require('../../../doraemon/models/header');
6 const NewsAPi = require('./news-api'); 6 const NewsAPi = require('./news-api');
  7 +const utils = require('./utils');
7 const moment = require('moment'); 8 const moment = require('moment');
  9 +const xss = require('xss');
8 const searchHandler = require('../../product/models/search-handler'); 10 const searchHandler = require('../../product/models/search-handler');
9 11
10 console.log(global.utils); 12 console.log(global.utils);
@@ -121,6 +123,7 @@ module.exports = class extends global.yoho.BaseModel { @@ -121,6 +123,7 @@ module.exports = class extends global.yoho.BaseModel {
121 let newsAPi = new NewsAPi(this.ctx); 123 let newsAPi = new NewsAPi(this.ctx);
122 let params = { 124 let params = {
123 type: 'wechat', 125 type: 'wechat',
  126 + atype: param.atype || 'yohogroup',
124 limit: 20, 127 limit: 20,
125 page: param.page || 1 128 page: param.page || 1
126 }; 129 };
@@ -132,7 +135,7 @@ module.exports = class extends global.yoho.BaseModel { @@ -132,7 +135,7 @@ module.exports = class extends global.yoho.BaseModel {
132 content_code: ADS_CODE[channel] || ADS_CODE.boys, 135 content_code: ADS_CODE[channel] || ADS_CODE.boys,
133 isAdDegrade: _.get(this.ctx, 'req.app.locals.pc.guang.removeAd', false) 136 isAdDegrade: _.get(this.ctx, 'req.app.locals.pc.guang.removeAd', false)
134 }), 137 }),
135 - newsAPi.getPolymerizationList(params), 138 + newsAPi.getPolymerizationList(Object.assign({}, params, {id: param.atype || 'yohogroup'})),
136 ]; 139 ];
137 140
138 return Promise.all(apiMethod).then(result => { 141 return Promise.all(apiMethod).then(result => {
@@ -163,8 +166,13 @@ module.exports = class extends global.yoho.BaseModel { @@ -163,8 +166,13 @@ module.exports = class extends global.yoho.BaseModel {
163 title: contents.title, 166 title: contents.title,
164 time: contents.update_time && moment(contents.update_time * 1000).format('YYYY年MM月DD HH:mm'), 167 time: contents.update_time && moment(contents.update_time * 1000).format('YYYY年MM月DD HH:mm'),
165 }; 168 };
  169 + let content = utils.filterPhtml(contents.content, [
  170 + '阅读原文',
  171 + '点击这里',
  172 + '点这里'
  173 + ]);
166 174
167 - return {header: header, content: contents.content}; 175 + return {header: header, content: xss(utils.filterAhtml(content))};
168 } 176 }
169 177
170 detail(channel, param) { 178 detail(channel, param) {
  1 +'use strict';
  2 +const _ = require('lodash');
  3 +const cheerio = require('cheerio');
  4 +
  5 +const util = {
  6 + // 过滤指定字符的p标签
  7 + filterPhtml: (html, filters) => {
  8 + if (!html) {
  9 + return html;
  10 + }
  11 +
  12 + let $ = cheerio.load(html, {decodeEntities: false});
  13 +
  14 + _.each($('p'), (item) => {
  15 + let ele = $(item);
  16 + let phtml = ele.html();
  17 +
  18 + _.each(filters, ft => {
  19 + if (phtml.indexOf(ft) >= 0) {
  20 + ele.remove();
  21 + }
  22 + });
  23 +
  24 + });
  25 +
  26 + return $.html();
  27 + },
  28 +
  29 + // 过滤 a标签连接
  30 + filterAhtml: (html) => {
  31 + if (!html) {
  32 + return html;
  33 + }
  34 +
  35 + let $ = cheerio.load(html, {decodeEntities: false});
  36 +
  37 + $('a').attr('href', 'javascript:void(0);').css({cursor: 'text'});
  38 +
  39 + return $.html();
  40 + }
  41 +};
  42 +
  43 +module.exports = util;
@@ -54,6 +54,7 @@ @@ -54,6 +54,7 @@
54 "sitemap": "^1.12.1", 54 "sitemap": "^1.12.1",
55 "urlencode": "^1.1.0", 55 "urlencode": "^1.1.0",
56 "uuid": "^2.0.2", 56 "uuid": "^2.0.2",
  57 + "xss": "^0.3.4",
57 "yoho-express-session": "^2.0.0", 58 "yoho-express-session": "^2.0.0",
58 "yoho-node-lib": "=0.5.4", 59 "yoho-node-lib": "=0.5.4",
59 "yoho-zookeeper": "^1.0.8" 60 "yoho-zookeeper": "^1.0.8"
@@ -53,7 +53,7 @@ @@ -53,7 +53,7 @@
53 53
54 .detail-title { 54 .detail-title {
55 font-size: 28px; 55 font-size: 28px;
56 - line-height: 45px; 56 + line-height: 50px;
57 border-bottom: 1px dotted #c1c1c1; 57 border-bottom: 1px dotted #c1c1c1;
58 word-wrap: break-word; 58 word-wrap: break-word;
59 } 59 }