xss

王水玲
Commit f4baf750a1193d8de6e5e20121ee4ed8034a59d0 1 parent 40705df8
Showing 23 changed files with 60 additions and 35 deletions
apps/activity/views/action/expand-new/friend-invite.hbs
apps/activity/views/action/expand-new/reward-detail.hbs
apps/activity/views/action/grouth-new/init.hbs
apps/activity/views/action/promotion.hbs
apps/activity/views/action/share-buy/my-rebeat.hbs
apps/activity/views/partial/expand-new/reward-list.hbs
apps/cart/views/action/buynow/order-ensure.hbs
apps/cart/views/action/buynow/select-address.hbs
apps/cart/views/action/order-ensure.hbs
apps/cart/views/action/select-address.hbs
apps/guang/views/action/info/comments.hbs
apps/home/views/action/address/address-modify.hbs
apps/home/views/action/address/index.hbs
apps/home/views/action/family/index.hbs
apps/home/views/action/new-home.hbs
apps/home/views/action/new-qrcode.hbs
apps/home/views/action/personal-details.hbs
apps/home/views/partial/vip-grade/basic-info.hbs
apps/product/views/action/detail/comments.hbs
apps/product/views/partial/detail/feedback-tab.hbs
--- a/apps/activity/views/action/expand-new/friend-invite.hbs
View file @f4baf75
+++ b/apps/activity/views/action/expand-new/friend-invite.hbs
View file @f4baf75
 <div class="friend-invite-page yoho-page">
     {{# friendInviteData}}
     <div class="banner">
-         <span class="title">您的好友{{{nickname}}}<br><b>{{#if payText}}发现了好物并推荐给您{{else}}邀请您来有货玩潮流{{/if}}</b></span>
+         <span class="title">您的好友{{{htmlEncode nickname}}}<br><b>{{#if payText}}发现了好物并推荐给您{{else}}邀请您来有货玩潮流{{/if}}</b></span>
         <span class="ico-left"></span>
         <span class="ico-right"></span>
         {{#if friendsGoods}}
--- a/apps/activity/views/action/expand-new/reward-detail.hbs
View file @f4baf75
+++ b/apps/activity/views/action/expand-new/reward-detail.hbs
View file @f4baf75
@@ -22,7 +22,7 @@
     <div class="reward-related">
         <div class="releated-item">
             <span>我邀请的好友</span>
-             <span>{{{nickName}}}</span>
+             <span>{{{htmlEncode nickName}}}</span>
         </div>
         <div class="releated-item">
             <span>注册时间</span>
--- a/apps/activity/views/action/grouth-new/init.hbs
View file @f4baf75
+++ b/apps/activity/views/action/grouth-new/init.hbs
View file @f4baf75
@@ -9,7 +9,7 @@
             <div class="head-pic">
                 <img src="{{image headIco 200 200}}">
             </div>
-             <div class="nick-name">{{{nickName}}}</div>
+             <div class="nick-name">{{{htmlEncode nickName}}}</div>
         </div>
         <div class="calculate">
             <div class="calculate-item">
--- a/apps/activity/views/action/promotion.hbs
View file @f4baf75
+++ b/apps/activity/views/action/promotion.hbs
View file @f4baf75
@@ -42,7 +42,7 @@
 		{{# shareLog}}
 		<div class="student-item">
 			<div>{{createTime}}</div>
- 			<div>{{{nickName}}}</div>
+ 			<div>{{{htmlEncode nickName}}}</div>
 			<div>
 				<span>+{{reward}}</span>
 				有货币
--- a/apps/activity/views/action/share-buy/my-rebeat.hbs
View file @f4baf75
+++ b/apps/activity/views/action/share-buy/my-rebeat.hbs
View file @f4baf75
@@ -27,7 +27,7 @@
         <li>
             <p class="earnings-info">
                 <span class="num">{{#if cancel}}-{{/if}}{{#if already}}+{{/if}}{{coinNum}}</span>
-                 <span class="user">{{{nickName}}} <i {{#if cancel}}class="cancel"{{/if}}>{{statusStr}}</i></span>
+                 <span class="user">{{{htmlEncode nickName}}} <i {{#if cancel}}class="cancel"{{/if}}>{{statusStr}}</i></span>
 
             </p>
             <p class="order-info">
--- a/apps/activity/views/partial/expand-new/reward-list.hbs
View file @f4baf75
+++ b/apps/activity/views/partial/expand-new/reward-list.hbs
View file @f4baf75
 {{# rewardList}}
     <a href="{{detailUrl}}" class="list-item">
-         <span>{{{nickName}}}</span>
+         <span>{{{htmlEncode nickName}}}</span>
         <span>{{orderAmountDis}}</span>
         <span>{{couponName}}</span>
         <span>{{couponStatusDesc}}<i class="iconfont">&#xe614;</i></span>
--- a/apps/cart/views/action/buynow/order-ensure.hbs
View file @f4baf75
+++ b/apps/cart/views/action/buynow/order-ensure.hbs
View file @f4baf75
@@ -9,9 +9,9 @@
         {{#if addressInfo}}
         <div class="address block address-wrap {{#if @root.pageChannel.boys}} boys{{/if}}{{#if @root.pageChannel.girls}} girls{{/if}}{{#if @root.pageChannel.kids}} kids{{/if}}{{#if @root.pageChannel.lifeStyle}} life-style{{/if}}" data-id ="{{addressId}}">
             <div class="info">
-                 <span class="info-name">{{{name}}}</span>
+                 <span class="info-name">{{{htmlEncode name}}}</span>
                 <span class="info-phone">{{phoneNum}}</span>
-                 <a href="{{selectAddressUrl}}"><span class="info-address">{{{addressInfo}}}</span></a>
+                 <a href="{{selectAddressUrl}}"><span class="info-address">{{{htmlEncode addressInfo}}}</span></a>
                 <i class="iconfont">&#xe637;</i>
             </div>
             <a class="rest" href="{{selectAddressUrl}}">其他地址<span class="iconfont">&#xe614;</span></a>
@@ -177,7 +177,7 @@
         {{#if addressInfo}}
         <div class="address-bottom">
             <div class="back"></div>
-             <span>送至：{{{addressInfo}}}</span>
+             <span>送至：{{{htmlEncode addressInfo}}}</span>
         </div>
         {{/if}}
         <div class="bill">
--- a/apps/cart/views/action/buynow/select-address.hbs
View file @f4baf75
+++ b/apps/cart/views/action/buynow/select-address.hbs
View file @f4baf75
@@ -3,9 +3,9 @@
         {{# address}}
         <input type="hidden" name="_csrf" value="{{@root.csrfToken}}"/>
         <div class="address-item" data-address-id="{{address_id}}" data-is-support="{{is_support}}" data-href="{{../moreUrl}}">
-             <span class="name">{{{consignee}}}</span>
+             <span class="name">{{{htmlEncode consignee}}}</span>
             <span class="tel">{{mobile}}</span>
-             <p class="address-info" data-address="{{area}} {{address}}">{{area}} {{{address}}}</p>
+             <p class="address-info" data-address="{{area}} {{address}}">{{area}} {{{htmlEncode address}}}</p>
             <div class="action iconfont">
                 <span class="edit" data-href="/home/addressAct?id={{address_id}}&refer=buynow&product_sku={{../product_sku}}&buy_number={{../buy_number}}">&#xe61e;</span>
                 <span class="del" data-id="{{address_id}}">&#xe621;</span>
--- a/apps/cart/views/action/order-ensure.hbs
View file @f4baf75
+++ b/apps/cart/views/action/order-ensure.hbs
View file @f4baf75
@@ -9,9 +9,9 @@
         {{#if addressInfo}}
         <div class="address block address-wrap {{#if @root.pageChannel.boys}} boys{{/if}}{{#if @root.pageChannel.girls}} girls{{/if}}{{#if @root.pageChannel.kids}} kids{{/if}}{{#if @root.pageChannel.lifeStyle}} life-style{{/if}}" data-id ="{{addressId}}">
             <div class="info">
-                 <span class="info-name">{{{name}}}</span>
+                 <span class="info-name">{{{htmlEncode name}}}</span>
                 <span class="info-phone">{{phoneNum}}</span>
-                 <a href="/cart/index/new/selectAddress"><span class="info-address">{{{addressInfo}}}</span></a>
+                 <a href="/cart/index/new/selectAddress"><span class="info-address">{{{htmlEncode addressInfo}}}</span></a>
                 <i class="iconfont">&#xe637;</i>
             </div>
             <a class="rest" href="/cart/index/new/selectAddress">其他地址<span class="iconfont">&#xe614;</span></a>
@@ -182,7 +182,7 @@
         {{#if addressInfo}}
         <div class="address-bottom">
             <div class="back"></div>
-             <span>送至：{{{addressInfo}}}</span>
+             <span>送至：{{{htmlEncode addressInfo}}}</span>
         </div>
         {{/if}}
         <div class="bill">
--- a/apps/cart/views/action/select-address.hbs
View file @f4baf75
+++ b/apps/cart/views/action/select-address.hbs
View file @f4baf75
@@ -3,9 +3,9 @@
         {{# address}}
         <input type="hidden" name="_csrf" value="{{@root.csrfToken}}"/>
         <div class="address-item" data-address-id="{{address_id}}" data-is-support="{{is_support}}" data-href="{{../moreUrl}}">
-             <span class="name">{{{consignee}}}</span>
+             <span class="name">{{{htmlEncode consignee}}}</span>
             <span class="tel">{{mobile}}</span>
-             <p class="address-info" data-address="{{area}} {{address}}">{{area}} {{{address}}}</p>
+             <p class="address-info" data-address="{{area}} {{address}}">{{area}} {{{htmlEncode address}}}</p>
             <div class="action iconfont">
                 <span class="edit" data-href="/home/addressAct?id={{address_id}}&refer=shopping">&#xe61e;</span>
                 <span class="del" data-id="{{address_id}}">&#xe621;</span>
--- a/apps/guang/views/action/info/comments.hbs
View file @f4baf75
+++ b/apps/guang/views/action/info/comments.hbs
View file @f4baf75
@@ -6,14 +6,14 @@
     <div class="info-box">
         <div class="info-top">
             <div>
-                 <span class="username">{{username}}</span>
+                 <span class="username">{{{htmlEncode username}}}</span>
                 <span class="info-right"> 
                     <span>{{praiseNum}} 个赞</span>
                 </span>
             </div>
             <div class="time"><span>{{create_time}}</span></div>
         </div>
-         <div class="info-bottom">{{#relayTo}}回复{{username}}：{{/relayTo}}{{content}}</div>
+         <div class="info-bottom">{{#relayTo}}回复{{{htmlEncode username}}}：{{/relayTo}}{{content}}</div>
     </div>
 </div>
 {{/comments}}
\ No newline at end of file
--- a/apps/home/views/action/address/address-modify.hbs
View file @f4baf75
+++ b/apps/home/views/action/address/address-modify.hbs
View file @f4baf75
@@ -2,9 +2,9 @@
     <div class="page-wrap clearfix modifyAdd" data-rel="{{relation}}" data-order-code="{{orderCode}}">
         {{# address}}
         <div class="address-item" data-address-id="{{addressId}}" >
-             <span class="name">{{{consignee}}}</span>
+             <span class="name">{{{htmlEncode consignee}}}</span>
             <span class="tel">{{mobile}}</span>
-             <p class="address-info">{{area}} {{{address}}}</p>
+             <p class="address-info">{{area}} {{{htmlEncode address}}}</p>
         </div>
         {{/ address}}
 
--- a/apps/home/views/action/address/index.hbs
View file @f4baf75
+++ b/apps/home/views/action/address/index.hbs
View file @f4baf75
@@ -3,9 +3,9 @@
         {{# address}}
             <input type="hidden" name="_csrf" value="{{@root.csrfToken}}"/>
             <div class="address-item">
-                 <span class="name">{{{consignee}}}</span>
+                 <span class="name">{{{htmlEncode consignee}}}</span>
                 <span class="tel">{{mobile}}</span>
-                 <p class="address-info">{{area}} {{{address}}}</p>
+                 <p class="address-info">{{area}} {{{htmlEncode address}}}</p>
                 <div class="action iconfont">
                     <a class="edit" href="/home/addressAct?id={{addressId}}">&#xe61e;</a>
                     <span class="del" data-id="{{addressId}}">&#xe621;</span>
--- a/apps/home/views/action/family/index.hbs
View file @f4baf75
+++ b/apps/home/views/action/family/index.hbs
View file @f4baf75
@@ -8,7 +8,7 @@
         <div class="person-detail">
             <a href='{{userInfoLink}}' class="user-avatar" data-avatar="{{image head_ico 80 80}}"></a>
             <div class="basic-info">
-                 <span class="user-name">{{{nickname}}}</span>
+                 <span class="user-name">{{{htmlEncode nickname}}}</span>
                 <span class="gender {{#isEqualOr gender 1}}boy{{/isEqualOr}}{{#isEqualOr gender 2}}girl{{/isEqualOr}}"></span>
             </div>
             <div class="info">
--- a/apps/home/views/action/new-home.hbs
View file @f4baf75
+++ b/apps/home/views/action/new-home.hbs
View file @f4baf75
@@ -8,7 +8,7 @@
                     <div class="level level-{{vip_info/cur_level}}"></div>
                 </div>
                 <div class="right">
-                     <div class="name eps">{{{nickname}}}</div>
+                     <div class="name eps">{{{htmlEncode nickname}}}</div>
                     <div class="trend-code-c">
                         <div class="dot">#&nbsp;</div>
                         <div class="scroll-c go-scroll">
--- a/apps/home/views/action/new-qrcode.hbs
View file @f4baf75
+++ b/apps/home/views/action/new-qrcode.hbs
View file @f4baf75
@@ -6,7 +6,7 @@
                 <div class="level level-{{vip_info/cur_level}}"></div>
             </div>
             <div class="user-info">
-                 <div class="name eps">{{{nickname}}}</div>
+                 <div class="name eps">{{{htmlEncode nickname}}}</div>
                 <div class="passcode">
                     {{#if trendWord}}
                     <div class="dot">#&nbsp;</div>
--- a/apps/home/views/action/personal-details.hbs
View file @f4baf75
+++ b/apps/home/views/action/personal-details.hbs
View file @f4baf75
 <div class="personal-details yoho-page">
     <ul>
         <li><span>头像</span><span><i class="head-portrait user-avatar" data-avatar="{{image head_ico 128 128}}"></i></span></li>
-         <li><span>昵称</span><span>{{{ nickname }}}</span></li>
+         <li><span>昵称</span><span>{{{htmlEncode nickname }}}</span></li>
         <li><span>性别</span><span>{{ gender }}</span></li>
         <li><span>生日</span><span>{{ birthday }}</span></li>
     </ul>
--- a/apps/home/views/partial/vip-grade/basic-info.hbs
View file @f4baf75
+++ b/apps/home/views/partial/vip-grade/basic-info.hbs
View file @f4baf75
 {{#if vip3}}
     <p>
-         <span class="user-name">{{{name}}}</span>
+         <span class="user-name">{{{htmlEncode name}}}</span>
         <span class="vip-icon vip-3"></span>
     </p>
     <p class="grade-desc">
@@ -20,7 +20,7 @@
 
 {{#if vip2}}
     <p>
-         <span class="user-name">{{{name}}}</span>
+         <span class="user-name">{{{htmlEncode name}}}</span>
         <span class="vip-icon vip-2"></span>
     </p>
     <p class="grade-desc">
@@ -43,7 +43,7 @@
 
 {{#if vip1}}
     <p>
-         <span class="user-name">{{{name}}}</span>
+         <span class="user-name">{{{htmlEncode name}}}</span>
         <span class="vip-icon vip-1"></span>
     </p>
     <p class="grade-desc">
@@ -66,7 +66,7 @@
 
 {{#if vip0}}
     <p>
-         <span class="user-name">{{{name}}}</span>
+         <span class="user-name">{{{htmlEncode name}}}</span>
         <span>普通会员</span>
     </p>
     <p class="grade-desc">
--- a/apps/product/views/action/detail/comments.hbs
View file @f4baf75
+++ b/apps/product/views/action/detail/comments.hbs
View file @f4baf75
@@ -3,7 +3,7 @@
         {{# comments}}
             <div class="comment-item clearfix">
                 <div class="user-info clearfix">
-                     <span class="user-name">{{{userName}}}</span>
+                     <span class="user-name">{{{htmlEncode userName}}}</span>
                     <span class="goods-spec">
                     购买了<b>{{color}}</b>
                     </span>
--- a/apps/product/views/partial/detail/feedback-tab.hbs
View file @f4baf75
+++ b/apps/product/views/partial/detail/feedback-tab.hbs
View file @f4baf75
@@ -12,7 +12,7 @@
             <div class="comment-content-main content-main clearfix">
                 {{# comments}}
                     <span class="user-name">
-                         {{{userName}}}
+                         {{{htmlEncode userName}}}
                     </span>
                     <p class="goods-spec">
                         购买了{{desc}}
--- a/public/js/common.js
View file @f4baf75
+++ b/public/js/common.js
View file @f4baf75
@@ -10,6 +10,8 @@ let $footer = $('#yoho-footer'),
     $yohoPage = $('.yoho-page'),
     $header = $('.yoho-header');
 
+ let cleanHtml = require('../../utils/cleanHtml');
+ 
 // 为您优选-40位随机数指纹请求id
 let RECID = (new Date().getTime() + '_H5_YOHOBUY_' + Math.floor(Math.random() * 1000000 + 1000000) +
     '_' + Math.floor(Math.random() * 1000000 + 1000000));
@@ -216,7 +218,7 @@ $.extend({
         // 已登录
         $op.prepend(
             '<span>Hi,</span>' +
-             '<a class="user-name" href="/home?tmp=' + Math.random() + '">' + user[0] + '</a>' +
+             '<a class="user-name" href="/home?tmp=' + Math.random() + '">' + cleanHtml.htmlEncode(user[0]) + '</a>' +
             '<span class="sep-line">|</span>' +
             '<a href="/passport/signout/index">退出</a>'
         );
--- a/utils/cleanHtml.js
View file @f4baf75
+++ b/utils/cleanHtml.js
View file @f4baf75
@@ -10,7 +10,7 @@ const htmlEntity = {
 };
 
 exports.htmlDecode = function(txt) {
-     txt = txt || '';
+     txt = txt + '' || '';
     return txt.replace(/((&(([a-z][a-z0-9]*)|(#[0-9]+)|(#x[0-9a-f]+));)|["'<>&])/gi, function(s) {
         s = s || '';
         const s1 = htmlEntity[s.toLowerCase()];
@@ -24,7 +24,7 @@ exports.htmlDecode = function(txt) {
 };
 
 exports.htmlEncode = function(str) {
-     str = str || '';
+     str = str + '' || '';
     return str.replace(re, function(s) {
         switch (s) {
             case '"':
--- a/utils/helpers.js
View file @f4baf75
+++ b/utils/helpers.js
View file @f4baf75
@@ -288,5 +288,28 @@ module.exports = {
             });
         }
         return contentData;
+     },
+ 
+     /**
+      * 特殊符号转译
+      */
+     htmlEncode: function(str) {
+         const re = /(\r\n)|["\'<>]/g;
+ 
+         str = str + '' || '';
+         return str.replace(re, function(s) {
+             switch (s) {
+                 case '"':
+                     return '&quot;';
+                 case '\'':
+                     return '&apos;';
+                 case '<':
+                     return '&lt;';
+                 case '>':
+                     return '&gt;';
+                 default:
+                     return s;
+             }
+         });
     }
 };