From a7f558a593ba38cae09c38c1f9e6a8218b9c7568 Mon Sep 17 00:00:00 2001 From: Jasder <2053003901@@qq.com> Date: Thu, 17 Oct 2019 11:29:37 +0800 Subject: [PATCH] FIX xss bug --- app/views/boards/_course_show.html.erb | 2 +- app/views/boards/_sy_board_history.html.erb | 6 +++--- app/views/layouts/_contest_board_children_list.html.erb | 4 ++-- app/views/messages/_course_show.html.erb | 4 ++-- app/views/messages/_course_show_replies.html.erb | 4 ++-- app/views/users/_comment_reply_detail.html.erb | 6 +++--- app/views/users/_course_boardlist.html.erb | 6 +++--- app/views/users/_course_message.html.erb | 8 ++++---- app/views/users/_message_replies.html.erb | 4 ++-- app/views/users/_project_boardlist.html.erb | 6 +++--- 10 files changed, 25 insertions(+), 25 deletions(-) diff --git a/app/views/boards/_course_show.html.erb b/app/views/boards/_course_show.html.erb index c41a8d254..b0823c253 100644 --- a/app/views/boards/_course_show.html.erb +++ b/app/views/boards/_course_show.html.erb @@ -24,7 +24,7 @@
- <%= @board.parent_id.nil? ? "班级讨论区" : "#{@board.name}" %> + <%= @board.parent_id.nil? ? "班级讨论区" : "#{h @board.name}" %>
<% is_teacher = User.current.logged? && (User.current.admin? || User.current.allowed_to?(:as_teacher,@board.course)) %> diff --git a/app/views/boards/_sy_board_history.html.erb b/app/views/boards/_sy_board_history.html.erb index 614796e9f..48aca2947 100644 --- a/app/views/boards/_sy_board_history.html.erb +++ b/app/views/boards/_sy_board_history.html.erb @@ -18,9 +18,9 @@
<% if activity.parent_id.nil? %> - <%= link_to activity.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal fl" %> + <%= link_to h(activity.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal fl" %> <% else %> - <%= link_to activity.parent.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal f1" %> + <%= link_to h(activity.parent.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :target => '_blank', :class => "list-title-normal f1" %> <% end %> <% if activity.sticky == 1 %> @@ -58,4 +58,4 @@

没有数据可以显示!

<% end %>
-
\ No newline at end of file +
diff --git a/app/views/layouts/_contest_board_children_list.html.erb b/app/views/layouts/_contest_board_children_list.html.erb index 494fbd032..e41dcd46b 100644 --- a/app/views/layouts/_contest_board_children_list.html.erb +++ b/app/views/layouts/_contest_board_children_list.html.erb @@ -5,7 +5,7 @@
  • <% count = board ? board.messages.count : 0 %> - + <%=count %> <% if User.current.logged? && is_admin %> @@ -14,4 +14,4 @@
    • <% end %> -<% end %> \ No newline at end of file +<% end %> diff --git a/app/views/messages/_course_show.html.erb b/app/views/messages/_course_show.html.erb index e283d2a55..12f9a5a15 100644 --- a/app/views/messages/_course_show.html.erb +++ b/app/views/messages/_course_show.html.erb @@ -65,7 +65,7 @@
    <%end%>
    - 主题: <%= @topic.subject%> + 主题: <%= h @topic.subject%>
    @@ -74,7 +74,7 @@
    <%= format_time( @topic.created_on)%>
    - <%= @topic.content.html_safe%> + <%= h @topic.content %>
    diff --git a/app/views/messages/_course_show_replies.html.erb b/app/views/messages/_course_show_replies.html.erb index 3ea86596f..db0a3c1df 100644 --- a/app/views/messages/_course_show_replies.html.erb +++ b/app/views/messages/_course_show_replies.html.erb @@ -13,7 +13,7 @@ <%= render :partial => 'users/message_contents', :locals => {:comment => reply, :type => 'Message', :user_activity_id => @topic.id}%>
    - <%= reply.content.html_safe%> + <%= h reply.content %>
    @@ -57,4 +57,4 @@ <%= link_to '点击展开更多回复', board_message_path(@topic.board_id, @topic, :page => @page),:remote=>true %>
    -<% end %> \ No newline at end of file +<% end %> diff --git a/app/views/users/_comment_reply_detail.html.erb b/app/views/users/_comment_reply_detail.html.erb index e7cd7e0b0..06ab5e2f3 100644 --- a/app/views/users/_comment_reply_detail.html.erb +++ b/app/views/users/_comment_reply_detail.html.erb @@ -17,9 +17,9 @@

    <%= string %>

    <% end %> <% end %> -

    <%= comment.content_detail.html_safe %>

    +

    <%= h comment.content_detail.html_safe %>

    <% else %> - <%= comment.content_detail.html_safe %> + <%= h comment.content_detail.html_safe %> <% end %>
    @@ -66,4 +66,4 @@

    -
    \ No newline at end of file +
    diff --git a/app/views/users/_course_boardlist.html.erb b/app/views/users/_course_boardlist.html.erb index 12230f7e0..3d4807a60 100644 --- a/app/views/users/_course_boardlist.html.erb +++ b/app/views/users/_course_boardlist.html.erb @@ -24,9 +24,9 @@
    <% if activity.parent_id.nil? %> - <%= link_to activity.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal fl" %> + <%= link_to h(activity.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal fl" %> <% else %> - <%= link_to activity.parent.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal f1" %> + <%= link_to h(activity.parent.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class => "list-title-normal f1" %> <% end %> <% if activity.sticky == 1 %> @@ -81,4 +81,4 @@ $(".listbox").css("height",tmpHeight); } }); - \ No newline at end of file + diff --git a/app/views/users/_course_message.html.erb b/app/views/users/_course_message.html.erb index f8e6931cd..f9ab0274f 100644 --- a/app/views/users/_course_message.html.erb +++ b/app/views/users/_course_message.html.erb @@ -13,9 +13,9 @@
    <% if activity.sticky == 1 %> @@ -33,9 +33,9 @@
    <% if activity.parent_id.nil? %> - <% content = activity.content %> + <% content = h activity.content %> <% else %> - <% content = activity.parent.content %> + <% content = h activity.parent.content %> <% end %> <%=render :partial =>"users/intro_content", :locals=>{:user_activity_id =>user_activity_id, :content=>content} %>
    diff --git a/app/views/users/_message_replies.html.erb b/app/views/users/_message_replies.html.erb index 9f810a052..d0ab30bc9 100644 --- a/app/views/users/_message_replies.html.erb +++ b/app/views/users/_message_replies.html.erb @@ -15,7 +15,7 @@ <% if !comment.content_detail.blank? %>
    - <%= comment.content_detail.html_safe %> + <%= h comment.content_detail %>
    @@ -115,4 +115,4 @@
    <% end %> - \ No newline at end of file + diff --git a/app/views/users/_project_boardlist.html.erb b/app/views/users/_project_boardlist.html.erb index ab8ebd8d8..d6dea3ee1 100644 --- a/app/views/users/_project_boardlist.html.erb +++ b/app/views/users/_project_boardlist.html.erb @@ -20,9 +20,9 @@
    <% if activity.parent_id.nil? %> - <%= link_to activity.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal fl", :style => "max-width:950px;" %> + <%= link_to h(activity.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal fl", :style => "max-width:950px;" %> <% else %> - <%= link_to activity.parent.subject.to_s.html_safe, User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal f1", :style => "max-width:950px;" %> + <%= link_to h(activity.parent.subject), User.current.logged? ? board_message_path(activity.board_id, activity) : signin_url_without_domain, :class=> "list-title-normal f1", :style => "max-width:950px;" %> <% end %> <% if activity.sticky == 1 %> @@ -76,4 +76,4 @@ $(".listbox").css("height", tmpHeight); } }); - \ No newline at end of file +