修改BUG：全站增加对脚本代码防护 closed #ITJ53

#Issue https://gitee.com/LongbowEnterprise/dashboard/issues?id=ITJ53
2019-03-14 16:26:19 +08:00 · 2019-03-14 16:26:19 +08:00 · a40cc02289
parent a8e0f10446
commit a40cc02289
2 changed files with 12 additions and 2 deletions
--- a/Bootstrap.Admin/wwwroot/js/common-scripts.js
+++ b/Bootstrap.Admin/wwwroot/js/common-scripts.js
@ -82,7 +82,7 @@
                    $('#msgHeaderUser').text(result.NewUsersCount);
                    htmlUserTemplate = '<a class="dropdown-item" href="{4}"><span class="label label-success"><i class="fa fa-plus"></i></span><div title="{2}" class="content">{1}({0})</div><span class="small italic">{3}</span></a>';
                    html = result.Users.map(function (u) {
-                        return $.format(htmlUserTemplate, u.UserName, u.DisplayName, u.Description, u.Period, $.formatUrl('Admin/Notifications'));
+                        return $.format(htmlUserTemplate, $.safeHtml(u.UserName), $.safeHtml(u.DisplayName), $.safeHtml(u.Description), u.Period, $.formatUrl('Admin/Notifications'));
                    }).join('');
                    $(html).insertAfter($('#msgHeaderUserContent'));

@ -106,7 +106,7 @@
                    $('#msgHeaderMsg').text(result.MessagesCount);
                    htmlUserTemplate = '<a class="dropdown-item" href="{6}?id={0}"><span class="photo"><img alt="avatar" src="{1}"></span><span class="subject"><span class="from">{2}</span><span class="time">{4}</span></span><span class="message" title="{5}">{3}</span></a>';
                    html = result.Messages.map(function (u) {
-                        return $.format(htmlUserTemplate, u.Id, u.FromIcon, u.FromDisplayName, u.Title, u.Period, u.Content, $.formatUrl('Admin/Messages'));
+                        return $.format(htmlUserTemplate, u.Id, u.FromIcon, $.safeHtml(u.FromDisplayName), $.safeHtml(u.Title), u.Period, $.safeHtml(u.Content), $.formatUrl('Admin/Messages'));
                    }).join('');
                    $(html).insertAfter($('#msgHeaderMsgContent'));
                }
--- a/Bootstrap.Admin/wwwroot/lib/longbow/longbow.common.js
+++ b/Bootstrap.Admin/wwwroot/lib/longbow/longbow.common.js
@ -233,6 +233,9 @@
            var base = $('#pathBase').attr('href');
            return base + url;
        },
+        safeHtml: function(text) {
+            return $('<div>').text(text).html();
+        },
        syntaxHighlight: function (json) {
            if (typeof (json) === 'string') {
                json = JSON.parse(json);
@ -326,6 +329,13 @@
                }
            }, options);
            settings.url = $.formatUrl(settings.url);
+            $.each(settings.columns, function (index, value) {
+                if (!$.isFunction(value.formatter)) {
+                    value.formatter = function (value, row, index, field) {
+                        return $.safeHtml(value);
+                    }
+                }
+            });
            this.bootstrapTable(settings);
            $('.bootstrap-table .fixed-table-toolbar .columns .export .dropdown-menu').addClass("dropdown-menu-right");
            $(settings.toolbar).removeClass('d-none').find('.toolbar').on('click', 'a', function (e) {