Merge branch 'xss-bug' into 'develop'

修复讨论区xss漏洞的bug

讨论区页面存在的xss漏洞修补

See merge request !189

app/views/boards/_course_show.html.erb

@@ -24,7 +24,7 @@
 <div class="homepageRight mt0 ml10">
   <div class="homepageRightBanner">
     <div class="NewsBannerName break_word" style="width: 600px;">
-      <%= @board.parent_id.nil? ? "班级讨论区" : "#{@board.name}" %>
+      <%= @board.parent_id.nil? ? "班级讨论区" : "#{h @board.name}" %>
     </div>
 
     <% is_teacher = User.current.logged? && (User.current.admin? || User.current.allowed_to?(:as_teacher,@board.course)) %>

app/views/boards/_sy_board_history.html.erb

@@ -18,9 +18,9 @@
             <div class="list-file">
               <div><span class="item_list fl"></span>
                 <% if activity.parent_id.nil? %> <!--+"(帖子标题)"-->
-                    <%= link_to activity.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal fl" %>
+                    <%= link_to h(activity.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal fl" %>
                 <% else %>
-                    <%= link_to activity.parent.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal f1" %>
+                    <%= link_to h(activity.parent.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal f1" %>
                 <% end %>
                 <% if activity.sticky == 1 %>
                     <span class="fl ml10 red-cir-btn">顶</span>
@@ -58,4 +58,4 @@
         <p class="sy_tab_con_p">没有数据可以显示！</p>
     <% end %>
   </div>
-</div>
+</div>

app/views/layouts/_contest_board_children_list.html.erb

@@ -5,7 +5,7 @@
           <li id="board_children_<%=board.id %>">
             <% count = board ? board.messages.count : 0 %>
             <a href="<%=contest_boards_path(@contest, :board_id =>board.id) %>">
-              <font class="hidden dis" style="max-width: 120px;"><%=board.name %></font>
+              <font class="hidden dis" style="max-width: 120px;"><%= h board.name %></font>
               <span style="vertical-align: top;"><%=count %></span>
             </a>
             <% if User.current.logged? && is_admin %>
@@ -14,4 +14,4 @@
           </li>
       <% end %>
     </ul>
-<% end %>
+<% end %>

app/views/messages/_course_show.html.erb

@@ -65,7 +65,7 @@
       </div>
       <%end%>
       <div class="postDetailTitle fl break_full_word">
-        <a href="javascript:void(0);" class="f14 linkGrey4 fb" style="overflow:hidden;">主题: <%= @topic.subject%></a>
+        <a href="javascript:void(0);" class="f14 linkGrey4 fb" style="overflow:hidden;">主题: <%= h @topic.subject%></a>
       </div>
       <div class="cl"></div>
       <div class="postDetailCreater">
@@ -74,7 +74,7 @@
       <div class="postDetailDate mb5"><%= format_time( @topic.created_on)%></div>
       <div class="cl"></div>
       <div class="homepagePostIntro memo-content upload_img break_full_word ke-block" id="message_description_<%= @topic.id %>" >
-        <%= @topic.content.html_safe%>
+        <%= h @topic.content %>
       </div>
       <div class="cl"></div>
       <div class="mt10" style="font-weight:normal;">

app/views/messages/_course_show_replies.html.erb

@@ -13,7 +13,7 @@
         <%= render :partial => 'users/message_contents', :locals => {:comment => reply, :type => 'Message', :user_activity_id => @topic.id}%>
 
         <div class="homepagePostReplyContent upload_img break_word table_maxWidth" id="reply_message_description_<%= reply.id %>">
-          <%= reply.content.html_safe%>
+          <%= h reply.content %>
         </div>
         <div class="orig_reply mb10 mt-10">
           <div class="reply">
@@ -57,4 +57,4 @@
           <%= link_to '点击展开更多回复', board_message_path(@topic.board_id, @topic, :page => @page),:remote=>true %>
         </div>
     </div>
-<% end %>
+<% end %>

app/views/users/_comment_reply_detail.html.erb

@@ -17,9 +17,9 @@
                 <p><%= string %></p>
             <% end %>
         <% end %>
-        <P><%= comment.content_detail.html_safe %></P>
+        <P><%= h comment.content_detail.html_safe %></P>
     <% else %>
-        <%= comment.content_detail.html_safe %>
+        <%= h comment.content_detail.html_safe %>
     <% end %>
   </div>
   <div class="orig_reply mt-10 pr" style="height: 18px;">
@@ -66,4 +66,4 @@
   </div>
   <p id="reply_message_<%= comment.id%>"></p>
 </div>
-<div class="cl"></div>
+<div class="cl"></div>

app/views/users/_course_boardlist.html.erb

@@ -24,9 +24,9 @@
               <div class="list-file">
                 <div><span class="item_list fl"></span>
                    <% if activity.parent_id.nil? %> <!--+"(帖子标题)"-->
-                       <%= link_to activity.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal fl" %>
+                       <%= link_to h(activity.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal fl" %>
                    <% else %>
-                       <%= link_to activity.parent.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal f1" %>
+                       <%= link_to h(activity.parent.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal f1" %>
                    <% end %>
                    <% if activity.sticky == 1 %>
                        <span class="fl ml10 red-cir-btn">顶</span>
@@ -81,4 +81,4 @@
             $(".listbox").css("height",tmpHeight);
         }
     });
-</script>
+</script>

app/views/users/_course_message.html.erb

@@ -13,9 +13,9 @@
       </div>
       <div class="homepagePostTitle hidden m_w530 fl">
         <% if activity.parent_id.nil? %> <!--+"(帖子标题)"-->
-            <%= link_to activity.subject.to_s.html_safe, board_message_path(activity.board_id, activity), :class=> "postGrey" %>
+            <%= link_to h(activity.subject.to_s), board_message_path(activity.board_id, activity), :class=> "postGrey" %>
         <% else %>
-            <%= link_to activity.parent.subject.to_s.html_safe, board_message_path(activity.board_id, activity), :class=> "postGrey" %>
+            <%= link_to h(activity.parent.subject.to_s), board_message_path(activity.board_id, activity), :class=> "postGrey" %>
         <% end %>
       </div>
       <% if activity.sticky == 1 %>
@@ -33,9 +33,9 @@
       </div>
       <div class="cl"></div>
       <% if activity.parent_id.nil? %>
-          <% content = activity.content %>
+          <% content = h activity.content %>
       <% else %>
-          <% content = activity.parent.content %>
+          <% content = h activity.parent.content %>
       <% end %>
       <%=render :partial =>"users/intro_content", :locals=>{:user_activity_id =>user_activity_id, :content=>content} %>
       <div class="cl"></div>

app/views/users/_message_replies.html.erb

@@ -15,7 +15,7 @@
 
           <% if !comment.content_detail.blank? %>
               <div class="homepagePostReplyContent break_word list_style upload_img table_maxWidth" id="reply_content_<%= comment.id %>">
-                <%= comment.content_detail.html_safe %>
+                <%= h comment.content_detail %>
               </div>
               <div class="orig_reply mb10 mt-10">
                 <div class="reply">
@@ -115,4 +115,4 @@
         <div class="cl"></div>
       </li>
   <% end %>
-</ul>
+</ul>

app/views/users/_project_boardlist.html.erb

@@ -20,9 +20,9 @@
               <div class="list-file">
                 <div><span class="item_list fl"></span>
                   <% if activity.parent_id.nil? %> <!--+"(帖子标题)"-->
-                      <%= link_to activity.subject.to_s.html_safe,  User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal fl", :style => "max-width:950px;" %>
+                      <%= link_to h(activity.subject),  User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal fl", :style => "max-width:950px;" %>
                   <% else %>
-                      <%= link_to activity.parent.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal f1", :style => "max-width:950px;" %>
+                      <%= link_to h(activity.parent.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal f1", :style => "max-width:950px;" %>
                   <% end %>
                   <% if activity.sticky == 1 %>
                       <span class="fl ml10 red-cir-btn">顶</span>
@@ -76,4 +76,4 @@
             $(".listbox").css("height", tmpHeight);
         }
     });
-</script>
+</script>