fe / yohobuywap-node · Commits

Go to a project

Authored by 王水玲
Commit f4baf750a1193d8de6e5e20121ee4ed8034a59d0 1 parent 40705df8

xss

Inline Side-by-side
Showing 23 changed files with 60 additions and 35 deletions
1 <div class="friend-invite-page yoho-page"> 1 <div class="friend-invite-page yoho-page">
2 {{# friendInviteData}} 2 {{# friendInviteData}}
3 <div class="banner"> 3 <div class="banner">
4 - <span class="title">您的好友{{{nickname}}}<br><b>{{#if payText}}发现了好物并推荐给您{{else}}邀请您来有货玩潮流{{/if}}</b></span> 4 + <span class="title">您的好友{{{htmlEncode nickname}}}<br><b>{{#if payText}}发现了好物并推荐给您{{else}}邀请您来有货玩潮流{{/if}}</b></span>
5 <span class="ico-left"></span> 5 <span class="ico-left"></span>
6 <span class="ico-right"></span> 6 <span class="ico-right"></span>
7 {{#if friendsGoods}} 7 {{#if friendsGoods}}
@@ -22,7 +22,7 @@ @@ -22,7 +22,7 @@
22 <div class="reward-related"> 22 <div class="reward-related">
23 <div class="releated-item"> 23 <div class="releated-item">
24 <span>我邀请的好友</span> 24 <span>我邀请的好友</span>
25 - <span>{{{nickName}}}</span> 25 + <span>{{{htmlEncode nickName}}}</span>
26 </div> 26 </div>
27 <div class="releated-item"> 27 <div class="releated-item">
28 <span>注册时间</span> 28 <span>注册时间</span>
@@ -9,7 +9,7 @@ @@ -9,7 +9,7 @@
9 <div class="head-pic"> 9 <div class="head-pic">
10 <img src="{{image headIco 200 200}}"> 10 <img src="{{image headIco 200 200}}">
11 </div> 11 </div>
12 - <div class="nick-name">{{{nickName}}}</div> 12 + <div class="nick-name">{{{htmlEncode nickName}}}</div>
13 </div> 13 </div>
14 <div class="calculate"> 14 <div class="calculate">
15 <div class="calculate-item"> 15 <div class="calculate-item">
@@ -42,7 +42,7 @@ @@ -42,7 +42,7 @@
42 {{# shareLog}} 42 {{# shareLog}}
43 <div class="student-item"> 43 <div class="student-item">
44 <div>{{createTime}}</div> 44 <div>{{createTime}}</div>
45 - <div>{{{nickName}}}</div> 45 + <div>{{{htmlEncode nickName}}}</div>
46 <div> 46 <div>
47 <span>+{{reward}}</span> 47 <span>+{{reward}}</span>
48 有货币 48 有货币
@@ -27,7 +27,7 @@ @@ -27,7 +27,7 @@
27 <li> 27 <li>
28 <p class="earnings-info"> 28 <p class="earnings-info">
29 <span class="num">{{#if cancel}}-{{/if}}{{#if already}}+{{/if}}{{coinNum}}</span> 29 <span class="num">{{#if cancel}}-{{/if}}{{#if already}}+{{/if}}{{coinNum}}</span>
30 - <span class="user">{{{nickName}}} <i {{#if cancel}}class="cancel"{{/if}}>{{statusStr}}</i></span> 30 + <span class="user">{{{htmlEncode nickName}}} <i {{#if cancel}}class="cancel"{{/if}}>{{statusStr}}</i></span>
31 31
32 </p> 32 </p>
33 <p class="order-info"> 33 <p class="order-info">
1 {{# rewardList}} 1 {{# rewardList}}
2 <a href="{{detailUrl}}" class="list-item"> 2 <a href="{{detailUrl}}" class="list-item">
3 - <span>{{{nickName}}}</span> 3 + <span>{{{htmlEncode nickName}}}</span>
4 <span>{{orderAmountDis}}</span> 4 <span>{{orderAmountDis}}</span>
5 <span>{{couponName}}</span> 5 <span>{{couponName}}</span>
6 <span>{{couponStatusDesc}}<i class="iconfont">&#xe614;</i></span> 6 <span>{{couponStatusDesc}}<i class="iconfont">&#xe614;</i></span>
@@ -9,9 +9,9 @@ @@ -9,9 +9,9 @@
9 {{#if addressInfo}} 9 {{#if addressInfo}}
10 <div class="address block address-wrap {{#if @root.pageChannel.boys}} boys{{/if}}{{#if @root.pageChannel.girls}} girls{{/if}}{{#if @root.pageChannel.kids}} kids{{/if}}{{#if @root.pageChannel.lifeStyle}} life-style{{/if}}" data-id ="{{addressId}}"> 10 <div class="address block address-wrap {{#if @root.pageChannel.boys}} boys{{/if}}{{#if @root.pageChannel.girls}} girls{{/if}}{{#if @root.pageChannel.kids}} kids{{/if}}{{#if @root.pageChannel.lifeStyle}} life-style{{/if}}" data-id ="{{addressId}}">
11 <div class="info"> 11 <div class="info">
12 - <span class="info-name">{{{name}}}</span> 12 + <span class="info-name">{{{htmlEncode name}}}</span>
13 <span class="info-phone">{{phoneNum}}</span> 13 <span class="info-phone">{{phoneNum}}</span>
14 - <a href="{{selectAddressUrl}}"><span class="info-address">{{{addressInfo}}}</span></a> 14 + <a href="{{selectAddressUrl}}"><span class="info-address">{{{htmlEncode addressInfo}}}</span></a>
15 <i class="iconfont">&#xe637;</i> 15 <i class="iconfont">&#xe637;</i>
16 </div> 16 </div>
17 <a class="rest" href="{{selectAddressUrl}}">其他地址<span class="iconfont">&#xe614;</span></a> 17 <a class="rest" href="{{selectAddressUrl}}">其他地址<span class="iconfont">&#xe614;</span></a>
@@ -177,7 +177,7 @@ @@ -177,7 +177,7 @@
177 {{#if addressInfo}} 177 {{#if addressInfo}}
178 <div class="address-bottom"> 178 <div class="address-bottom">
179 <div class="back"></div> 179 <div class="back"></div>
180 - <span>送至:{{{addressInfo}}}</span> 180 + <span>送至:{{{htmlEncode addressInfo}}}</span>
181 </div> 181 </div>
182 {{/if}} 182 {{/if}}
183 <div class="bill"> 183 <div class="bill">
@@ -3,9 +3,9 @@ @@ -3,9 +3,9 @@
3 {{# address}} 3 {{# address}}
4 <input type="hidden" name="_csrf" value="{{@root.csrfToken}}"/> 4 <input type="hidden" name="_csrf" value="{{@root.csrfToken}}"/>
5 <div class="address-item" data-address-id="{{address_id}}" data-is-support="{{is_support}}" data-href="{{../moreUrl}}"> 5 <div class="address-item" data-address-id="{{address_id}}" data-is-support="{{is_support}}" data-href="{{../moreUrl}}">
6 - <span class="name">{{{consignee}}}</span> 6 + <span class="name">{{{htmlEncode consignee}}}</span>
7 <span class="tel">{{mobile}}</span> 7 <span class="tel">{{mobile}}</span>
8 - <p class="address-info" data-address="{{area}} {{address}}">{{area}} {{{address}}}</p> 8 + <p class="address-info" data-address="{{area}} {{address}}">{{area}} {{{htmlEncode address}}}</p>
9 <div class="action iconfont"> 9 <div class="action iconfont">
10 <span class="edit" data-href="/home/addressAct?id={{address_id}}&refer=buynow&product_sku={{../product_sku}}&buy_number={{../buy_number}}">&#xe61e;</span> 10 <span class="edit" data-href="/home/addressAct?id={{address_id}}&refer=buynow&product_sku={{../product_sku}}&buy_number={{../buy_number}}">&#xe61e;</span>
11 <span class="del" data-id="{{address_id}}">&#xe621;</span> 11 <span class="del" data-id="{{address_id}}">&#xe621;</span>
@@ -9,9 +9,9 @@ @@ -9,9 +9,9 @@
9 {{#if addressInfo}} 9 {{#if addressInfo}}
10 <div class="address block address-wrap {{#if @root.pageChannel.boys}} boys{{/if}}{{#if @root.pageChannel.girls}} girls{{/if}}{{#if @root.pageChannel.kids}} kids{{/if}}{{#if @root.pageChannel.lifeStyle}} life-style{{/if}}" data-id ="{{addressId}}"> 10 <div class="address block address-wrap {{#if @root.pageChannel.boys}} boys{{/if}}{{#if @root.pageChannel.girls}} girls{{/if}}{{#if @root.pageChannel.kids}} kids{{/if}}{{#if @root.pageChannel.lifeStyle}} life-style{{/if}}" data-id ="{{addressId}}">
11 <div class="info"> 11 <div class="info">
12 - <span class="info-name">{{{name}}}</span> 12 + <span class="info-name">{{{htmlEncode name}}}</span>
13 <span class="info-phone">{{phoneNum}}</span> 13 <span class="info-phone">{{phoneNum}}</span>
14 - <a href="/cart/index/new/selectAddress"><span class="info-address">{{{addressInfo}}}</span></a> 14 + <a href="/cart/index/new/selectAddress"><span class="info-address">{{{htmlEncode addressInfo}}}</span></a>
15 <i class="iconfont">&#xe637;</i> 15 <i class="iconfont">&#xe637;</i>
16 </div> 16 </div>
17 <a class="rest" href="/cart/index/new/selectAddress">其他地址<span class="iconfont">&#xe614;</span></a> 17 <a class="rest" href="/cart/index/new/selectAddress">其他地址<span class="iconfont">&#xe614;</span></a>
@@ -182,7 +182,7 @@ @@ -182,7 +182,7 @@
182 {{#if addressInfo}} 182 {{#if addressInfo}}
183 <div class="address-bottom"> 183 <div class="address-bottom">
184 <div class="back"></div> 184 <div class="back"></div>
185 - <span>送至:{{{addressInfo}}}</span> 185 + <span>送至:{{{htmlEncode addressInfo}}}</span>
186 </div> 186 </div>
187 {{/if}} 187 {{/if}}
188 <div class="bill"> 188 <div class="bill">
@@ -3,9 +3,9 @@ @@ -3,9 +3,9 @@
3 {{# address}} 3 {{# address}}
4 <input type="hidden" name="_csrf" value="{{@root.csrfToken}}"/> 4 <input type="hidden" name="_csrf" value="{{@root.csrfToken}}"/>
5 <div class="address-item" data-address-id="{{address_id}}" data-is-support="{{is_support}}" data-href="{{../moreUrl}}"> 5 <div class="address-item" data-address-id="{{address_id}}" data-is-support="{{is_support}}" data-href="{{../moreUrl}}">
6 - <span class="name">{{{consignee}}}</span> 6 + <span class="name">{{{htmlEncode consignee}}}</span>
7 <span class="tel">{{mobile}}</span> 7 <span class="tel">{{mobile}}</span>
8 - <p class="address-info" data-address="{{area}} {{address}}">{{area}} {{{address}}}</p> 8 + <p class="address-info" data-address="{{area}} {{address}}">{{area}} {{{htmlEncode address}}}</p>
9 <div class="action iconfont"> 9 <div class="action iconfont">
10 <span class="edit" data-href="/home/addressAct?id={{address_id}}&refer=shopping">&#xe61e;</span> 10 <span class="edit" data-href="/home/addressAct?id={{address_id}}&refer=shopping">&#xe61e;</span>
11 <span class="del" data-id="{{address_id}}">&#xe621;</span> 11 <span class="del" data-id="{{address_id}}">&#xe621;</span>
@@ -6,14 +6,14 @@ @@ -6,14 +6,14 @@
6 <div class="info-box"> 6 <div class="info-box">
7 <div class="info-top"> 7 <div class="info-top">
8 <div> 8 <div>
9 - <span class="username">{{username}}</span> 9 + <span class="username">{{{htmlEncode username}}}</span>
10 <span class="info-right"> 10 <span class="info-right">
11 <span>{{praiseNum}} 个赞</span> 11 <span>{{praiseNum}} 个赞</span>
12 </span> 12 </span>
13 </div> 13 </div>
14 <div class="time"><span>{{create_time}}</span></div> 14 <div class="time"><span>{{create_time}}</span></div>
15 </div> 15 </div>
16 - <div class="info-bottom">{{#relayTo}}回复{{username}}{{/relayTo}}{{content}}</div> 16 + <div class="info-bottom">{{#relayTo}}回复{{{htmlEncode username}}}{{/relayTo}}{{content}}</div>
17 </div> 17 </div>
18 </div> 18 </div>
19 {{/comments}} 19 {{/comments}}
@@ -2,9 +2,9 @@ @@ -2,9 +2,9 @@
2 <div class="page-wrap clearfix modifyAdd" data-rel="{{relation}}" data-order-code="{{orderCode}}"> 2 <div class="page-wrap clearfix modifyAdd" data-rel="{{relation}}" data-order-code="{{orderCode}}">
3 {{# address}} 3 {{# address}}
4 <div class="address-item" data-address-id="{{addressId}}" > 4 <div class="address-item" data-address-id="{{addressId}}" >
5 - <span class="name">{{{consignee}}}</span> 5 + <span class="name">{{{htmlEncode consignee}}}</span>
6 <span class="tel">{{mobile}}</span> 6 <span class="tel">{{mobile}}</span>
7 - <p class="address-info">{{area}} {{{address}}}</p> 7 + <p class="address-info">{{area}} {{{htmlEncode address}}}</p>
8 </div> 8 </div>
9 {{/ address}} 9 {{/ address}}
10 10
@@ -3,9 +3,9 @@ @@ -3,9 +3,9 @@
3 {{# address}} 3 {{# address}}
4 <input type="hidden" name="_csrf" value="{{@root.csrfToken}}"/> 4 <input type="hidden" name="_csrf" value="{{@root.csrfToken}}"/>
5 <div class="address-item"> 5 <div class="address-item">
6 - <span class="name">{{{consignee}}}</span> 6 + <span class="name">{{{htmlEncode consignee}}}</span>
7 <span class="tel">{{mobile}}</span> 7 <span class="tel">{{mobile}}</span>
8 - <p class="address-info">{{area}} {{{address}}}</p> 8 + <p class="address-info">{{area}} {{{htmlEncode address}}}</p>
9 <div class="action iconfont"> 9 <div class="action iconfont">
10 <a class="edit" href="/home/addressAct?id={{addressId}}">&#xe61e;</a> 10 <a class="edit" href="/home/addressAct?id={{addressId}}">&#xe61e;</a>
11 <span class="del" data-id="{{addressId}}">&#xe621;</span> 11 <span class="del" data-id="{{addressId}}">&#xe621;</span>
@@ -8,7 +8,7 @@ @@ -8,7 +8,7 @@
8 <div class="person-detail"> 8 <div class="person-detail">
9 <a href='{{userInfoLink}}' class="user-avatar" data-avatar="{{image head_ico 80 80}}"></a> 9 <a href='{{userInfoLink}}' class="user-avatar" data-avatar="{{image head_ico 80 80}}"></a>
10 <div class="basic-info"> 10 <div class="basic-info">
11 - <span class="user-name">{{{nickname}}}</span> 11 + <span class="user-name">{{{htmlEncode nickname}}}</span>
12 <span class="gender {{#isEqualOr gender 1}}boy{{/isEqualOr}}{{#isEqualOr gender 2}}girl{{/isEqualOr}}"></span> 12 <span class="gender {{#isEqualOr gender 1}}boy{{/isEqualOr}}{{#isEqualOr gender 2}}girl{{/isEqualOr}}"></span>
13 </div> 13 </div>
14 <div class="info"> 14 <div class="info">
@@ -8,7 +8,7 @@ @@ -8,7 +8,7 @@
8 <div class="level level-{{vip_info/cur_level}}"></div> 8 <div class="level level-{{vip_info/cur_level}}"></div>
9 </div> 9 </div>
10 <div class="right"> 10 <div class="right">
11 - <div class="name eps">{{{nickname}}}</div> 11 + <div class="name eps">{{{htmlEncode nickname}}}</div>
12 <div class="trend-code-c"> 12 <div class="trend-code-c">
13 <div class="dot">#&nbsp;</div> 13 <div class="dot">#&nbsp;</div>
14 <div class="scroll-c go-scroll"> 14 <div class="scroll-c go-scroll">
@@ -6,7 +6,7 @@ @@ -6,7 +6,7 @@
6 <div class="level level-{{vip_info/cur_level}}"></div> 6 <div class="level level-{{vip_info/cur_level}}"></div>
7 </div> 7 </div>
8 <div class="user-info"> 8 <div class="user-info">
9 - <div class="name eps">{{{nickname}}}</div> 9 + <div class="name eps">{{{htmlEncode nickname}}}</div>
10 <div class="passcode"> 10 <div class="passcode">
11 {{#if trendWord}} 11 {{#if trendWord}}
12 <div class="dot">#&nbsp;</div> 12 <div class="dot">#&nbsp;</div>
1 <div class="personal-details yoho-page"> 1 <div class="personal-details yoho-page">
2 <ul> 2 <ul>
3 <li><span>头像</span><span><i class="head-portrait user-avatar" data-avatar="{{image head_ico 128 128}}"></i></span></li> 3 <li><span>头像</span><span><i class="head-portrait user-avatar" data-avatar="{{image head_ico 128 128}}"></i></span></li>
4 - <li><span>昵称</span><span>{{{ nickname }}}</span></li> 4 + <li><span>昵称</span><span>{{{htmlEncode nickname }}}</span></li>
5 <li><span>性别</span><span>{{ gender }}</span></li> 5 <li><span>性别</span><span>{{ gender }}</span></li>
6 <li><span>生日</span><span>{{ birthday }}</span></li> 6 <li><span>生日</span><span>{{ birthday }}</span></li>
7 </ul> 7 </ul>
1 {{#if vip3}} 1 {{#if vip3}}
2 <p> 2 <p>
3 - <span class="user-name">{{{name}}}</span> 3 + <span class="user-name">{{{htmlEncode name}}}</span>
4 <span class="vip-icon vip-3"></span> 4 <span class="vip-icon vip-3"></span>
5 </p> 5 </p>
6 <p class="grade-desc"> 6 <p class="grade-desc">
@@ -20,7 +20,7 @@ @@ -20,7 +20,7 @@
20 20
21 {{#if vip2}} 21 {{#if vip2}}
22 <p> 22 <p>
23 - <span class="user-name">{{{name}}}</span> 23 + <span class="user-name">{{{htmlEncode name}}}</span>
24 <span class="vip-icon vip-2"></span> 24 <span class="vip-icon vip-2"></span>
25 </p> 25 </p>
26 <p class="grade-desc"> 26 <p class="grade-desc">
@@ -43,7 +43,7 @@ @@ -43,7 +43,7 @@
43 43
44 {{#if vip1}} 44 {{#if vip1}}
45 <p> 45 <p>
46 - <span class="user-name">{{{name}}}</span> 46 + <span class="user-name">{{{htmlEncode name}}}</span>
47 <span class="vip-icon vip-1"></span> 47 <span class="vip-icon vip-1"></span>
48 </p> 48 </p>
49 <p class="grade-desc"> 49 <p class="grade-desc">
@@ -66,7 +66,7 @@ @@ -66,7 +66,7 @@
66 66
67 {{#if vip0}} 67 {{#if vip0}}
68 <p> 68 <p>
69 - <span class="user-name">{{{name}}}</span> 69 + <span class="user-name">{{{htmlEncode name}}}</span>
70 <span>普通会员</span> 70 <span>普通会员</span>
71 </p> 71 </p>
72 <p class="grade-desc"> 72 <p class="grade-desc">
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
3 {{# comments}} 3 {{# comments}}
4 <div class="comment-item clearfix"> 4 <div class="comment-item clearfix">
5 <div class="user-info clearfix"> 5 <div class="user-info clearfix">
6 - <span class="user-name">{{{userName}}}</span> 6 + <span class="user-name">{{{htmlEncode userName}}}</span>
7 <span class="goods-spec"> 7 <span class="goods-spec">
8 购买了<b>{{color}}</b> 8 购买了<b>{{color}}</b>
9 </span> 9 </span>
@@ -12,7 +12,7 @@ @@ -12,7 +12,7 @@
12 <div class="comment-content-main content-main clearfix"> 12 <div class="comment-content-main content-main clearfix">
13 {{# comments}} 13 {{# comments}}
14 <span class="user-name"> 14 <span class="user-name">
15 - {{{userName}}} 15 + {{{htmlEncode userName}}}
16 </span> 16 </span>
17 <p class="goods-spec"> 17 <p class="goods-spec">
18 购买了{{desc}} 18 购买了{{desc}}
@@ -10,6 +10,8 @@ let $footer = $('#yoho-footer'), @@ -10,6 +10,8 @@ let $footer = $('#yoho-footer'),
10 $yohoPage = $('.yoho-page'), 10 $yohoPage = $('.yoho-page'),
11 $header = $('.yoho-header'); 11 $header = $('.yoho-header');
12 12
  13 +let cleanHtml = require('../../utils/cleanHtml');
  14 +
13 // 为您优选-40位随机数指纹请求id 15 // 为您优选-40位随机数指纹请求id
14 let RECID = (new Date().getTime() + '_H5_YOHOBUY_' + Math.floor(Math.random() * 1000000 + 1000000) + 16 let RECID = (new Date().getTime() + '_H5_YOHOBUY_' + Math.floor(Math.random() * 1000000 + 1000000) +
15 '_' + Math.floor(Math.random() * 1000000 + 1000000)); 17 '_' + Math.floor(Math.random() * 1000000 + 1000000));
@@ -216,7 +218,7 @@ $.extend({ @@ -216,7 +218,7 @@ $.extend({
216 // 已登录 218 // 已登录
217 $op.prepend( 219 $op.prepend(
218 '<span>Hi,</span>' + 220 '<span>Hi,</span>' +
219 - '<a class="user-name" href="/home?tmp=' + Math.random() + '">' + user[0] + '</a>' + 221 + '<a class="user-name" href="/home?tmp=' + Math.random() + '">' + cleanHtml.htmlEncode(user[0]) + '</a>' +
220 '<span class="sep-line">|</span>' + 222 '<span class="sep-line">|</span>' +
221 '<a href="/passport/signout/index">退出</a>' 223 '<a href="/passport/signout/index">退出</a>'
222 ); 224 );
@@ -10,7 +10,7 @@ const htmlEntity = { @@ -10,7 +10,7 @@ const htmlEntity = {
10 }; 10 };
11 11
12 exports.htmlDecode = function(txt) { 12 exports.htmlDecode = function(txt) {
13 - txt = txt || ''; 13 + txt = txt + '' || '';
14 return txt.replace(/((&(([a-z][a-z0-9]*)|(#[0-9]+)|(#x[0-9a-f]+));)|["'<>&])/gi, function(s) { 14 return txt.replace(/((&(([a-z][a-z0-9]*)|(#[0-9]+)|(#x[0-9a-f]+));)|["'<>&])/gi, function(s) {
15 s = s || ''; 15 s = s || '';
16 const s1 = htmlEntity[s.toLowerCase()]; 16 const s1 = htmlEntity[s.toLowerCase()];
@@ -24,7 +24,7 @@ exports.htmlDecode = function(txt) { @@ -24,7 +24,7 @@ exports.htmlDecode = function(txt) {
24 }; 24 };
25 25
26 exports.htmlEncode = function(str) { 26 exports.htmlEncode = function(str) {
27 - str = str || ''; 27 + str = str + '' || '';
28 return str.replace(re, function(s) { 28 return str.replace(re, function(s) {
29 switch (s) { 29 switch (s) {
30 case '"': 30 case '"':
@@ -288,5 +288,28 @@ module.exports = { @@ -288,5 +288,28 @@ module.exports = {
288 }); 288 });
289 } 289 }
290 return contentData; 290 return contentData;
  291 + },
  292 +
  293 + /**
  294 + * 特殊符号转译
  295 + */
  296 + htmlEncode: function(str) {
  297 + const re = /(\r\n)|["\'<>]/g;
  298 +
  299 + str = str + '' || '';
  300 + return str.replace(re, function(s) {
  301 + switch (s) {
  302 + case '"':
  303 + return '&quot;';
  304 + case '\'':
  305 + return '&apos;';
  306 + case '<':
  307 + return '&lt;';
  308 + case '>':
  309 + return '&gt;';
  310 + default:
  311 + return s;
  312 + }
  313 + });
291 } 314 }
292 }; 315 };