(Fix: FileManager) fix #153 (thx @ViCrack)

6597b1f0 · Medicean · 4b932e81 · 6597b1f0 · 6597b1f0 · 6597b1f0
Commit 6597b1f0 authored Apr 19, 2019 by Medicean
Showing with 10 additions and 6 deletions

CHANGELOG.md CHANGELOG.md +1 -0

index.js source/modules/database/php/index.js +5 -2

files.js source/modules/filemanager/files.js +1 -1

index.js source/modules/filemanager/index.js +3 -3

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 * 主窗口增加 CSP 策略
 * Fix self-xss in database config #151 (thx @miaochiahao)
+* Fix #153 (thx @ViCrack)
 ## `v(2.0.7.2)`

--- a/source/modules/database/php/index.js
+++ b/source/modules/database/php/index.js
@@ -921,6 +921,7 @@ class PHP {
    // 获取配置
    const id = this.tree.getSelected().split('::')[1].split(":")[0];
    let dbname = new Buffer(this.tree.getSelected().split('::')[1].split(":")[1],"base64").toString();
+    // 已在 lang 中过滤
    layer.confirm(LANG['form']['deldb']['confirm'](dbname), {
      icon: 2, shift: 6,
      title: LANG['form']['deldb']['title']
@@ -1146,7 +1147,7 @@ class PHP {
    let tablename = new Buffer(treeselect.split('::')[1].split(":")[2],"base64").toString();
    // const hash = (+new Date * Math.random()).toString(16).substr(2, 8);
    layer.prompt({
-      value: tablename,
+      value: antSword.noxss(tablename),
      title: `<i class="fa fa-file-code-o"></i> ${LANG['form']['edittable']['title']}`
    },(value, i, e) => {
      if(!value.match(/^[a-zA-Z0-9_]+$/)){
@@ -1186,6 +1187,7 @@ class PHP {
    const id = treeselect.split('::')[1].split(":")[0];
    let dbname = new Buffer(treeselect.split('::')[1].split(":")[1],"base64").toString();
    let tablename = new Buffer(treeselect.split('::')[1].split(":")[2],"base64").toString();
+    // 已在 lang 中过滤
    layer.confirm(LANG['form']['deltable']['confirm'](tablename), {
      icon: 2, shift: 6,
      title: LANG['form']['deltable']['title']
@@ -1283,7 +1285,7 @@ class PHP {
      return
    }
    layer.prompt({
-      value: columnname,
+      value: antSword.noxss(columnname),
      title: `<i class="fa fa-file-code-o"></i> ${LANG['form']['editcolumn']['title']}`
    },(value, i, e) => {
      if(!value.match(/^[a-zA-Z0-9_]+$/)){
@@ -1324,6 +1326,7 @@ class PHP {
    let dbname = new Buffer(treeselect.split('::')[1].split(":")[1],"base64").toString();
    let tablename = new Buffer(treeselect.split('::')[1].split(":")[2],"base64").toString();
    let columnname = new Buffer(treeselect.split('::')[1].split(":")[3],"base64").toString();
+    // 已在LANG中过滤
    layer.confirm(LANG['form']['delcolumn']['confirm'](columnname), {
      icon: 2, shift: 6,
      title: LANG['form']['delcolumn']['title']

--- a/source/modules/filemanager/files.js
+++ b/source/modules/filemanager/files.js
@@ -137,7 +137,7 @@ class Files {
        case 'bookmark_add':
          // 添加书签
          layer.prompt({
-            value: self.manager.path,
+            value: antSword.noxss(self.manager.path),
            title: LANG['prompt']['add']['title']
          }, (value, i, e) => {
            bookmark[self.manager.path] = value;

--- a/source/modules/filemanager/index.js
+++ b/source/modules/filemanager/index.js
@@ -286,7 +286,7 @@ class FileManager {
    let self = this;
    layer.confirm(
-      LANG['delete']['confirm'](files.length > 1 ? files.length : files[0]),
+      LANG['delete']['confirm'](files.length > 1 ? files.length : files[0]), // 已在 lang 中过滤
      {
        icon: 2,
        shift: 6,
@@ -492,7 +492,7 @@ class FileManager {
  // 设置文件和目录权限
  chmodFile(name, oldmod) {
    layer.prompt({
-      value: oldmod,
+      value: antSword.noxss(oldmod),
      title: `<i class="fa fa-users"></i> ${LANG['chmod']['title']} (${antSword.noxss(name)})`,
    }, (value, i, e) => {
      if(!value.match(/^[0-7]{4}$/)){
@@ -625,7 +625,7 @@ class FileManager {
    // 获取URL
    let _index = layer.prompt({
      title: `<i class="fa fa-cloud-download"></i> ${LANG['wget']['title']}`,
-      content: '<input type="text" style="width:300px;" class="layui-layer-input" id="url_' + hash + '" value="http://" placeholder="target url"><p/><input style="width:300px;" type="text" id="path_' + hash + '" class="layui-layer-input" value="' + self.path + '" placeholder="file name">',
+      content: '<input type="text" style="width:300px;" class="layui-layer-input" id="url_' + hash + '" value="http://" placeholder="target url"><p/><input style="width:300px;" type="text" id="path_' + hash + '" class="layui-layer-input" value="' + antSword.noxss(self.path) + '" placeholder="file name">',
      btn: ['wget'],
      yes: (i) => {