(Fix: FileManager) fix #153 (thx @ViCrack)

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 * 主窗口增加 CSP 策略
 * Fix self-xss in database config #151 (thx @miaochiahao)
+* Fix #153 (thx @ViCrack)
 
 ## `v(2.0.7.2)`
 

source/modules/database/php/index.js

@@ -1145,7 +1145,7 @@ class PHP {
     let tablename = Buffer.from(treeselect.split('::')[1].split(":")[2],"base64").toString();
     // const hash = (+new Date * Math.random()).toString(16).substr(2, 8);
     layer.prompt({
-      value: tablename,
+      value: antSword.noxss(tablename),
       title: `<i class="fa fa-file-code-o"></i> ${LANG['form']['edittable']['title']}`
     },(value, i, e) => {
       if(!value.match(/^[a-zA-Z0-9_]+$/)){
@@ -1185,6 +1185,7 @@ class PHP {
     const id = treeselect.split('::')[1].split(":")[0];
     let dbname = Buffer.from(treeselect.split('::')[1].split(":")[1],"base64").toString();
     let tablename = Buffer.from(treeselect.split('::')[1].split(":")[2],"base64").toString();
+    // 已在 lang 中过滤
     layer.confirm(LANG['form']['deltable']['confirm'](tablename), {
       icon: 2, shift: 6,
       title: LANG['form']['deltable']['title']
@@ -1282,7 +1283,7 @@ class PHP {
       return
     }
     layer.prompt({
-      value: columnname,
+      value: antSword.noxss(columnname),
       title: `<i class="fa fa-file-code-o"></i> ${LANG['form']['editcolumn']['title']}`
     },(value, i, e) => {
       if(!value.match(/^[a-zA-Z0-9_]+$/)){
@@ -1323,6 +1324,7 @@ class PHP {
     let dbname = Buffer.from(treeselect.split('::')[1].split(":")[1],"base64").toString();
     let tablename = Buffer.from(treeselect.split('::')[1].split(":")[2],"base64").toString();
     let columnname = Buffer.from(treeselect.split('::')[1].split(":")[3],"base64").toString();
+    // 已在 lang 中过滤
     layer.confirm(LANG['form']['delcolumn']['confirm'](columnname), {
       icon: 2, shift: 6,
       title: LANG['form']['delcolumn']['title']

source/modules/filemanager/files.js

@@ -137,7 +137,7 @@ class Files {
         case 'bookmark_add':
           // 添加书签
           layer.prompt({
-            value: self.manager.path,
+            value: antSword.noxss(self.manager.path),
             title: LANG['prompt']['add']['title']
           }, (value, i, e) => {
             bookmark[self.manager.path] = value;

source/modules/filemanager/index.js

@@ -286,7 +286,7 @@ class FileManager {
     let self = this;
 
     layer.confirm(
-      LANG['delete']['confirm'](files.length > 1 ? files.length : files[0]),
+      LANG['delete']['confirm'](files.length > 1 ? files.length : files[0]), // 已在 lang 中过滤
       {
         icon: 2,
         shift: 6,
@@ -492,7 +492,7 @@ class FileManager {
   // 设置文件和目录权限
   chmodFile(name, oldmod) {
     layer.prompt({
-      value: oldmod,
+      value: antSword.noxss(oldmod),
       title: `<i class="fa fa-users"></i> ${LANG['chmod']['title']} (${antSword.noxss(name)})`,
     }, (value, i, e) => {
       if(!value.match(/^[0-7]{4}$/)){
@@ -625,7 +625,7 @@ class FileManager {
     // 获取URL
     let _index = layer.prompt({
       title: `<i class="fa fa-cloud-download"></i> ${LANG['wget']['title']}`,
-      content: '<input type="text" style="width:300px;" class="layui-layer-input" id="url_' + hash + '" value="http://" placeholder="target url"><p/><input style="width:300px;" type="text" id="path_' + hash + '" class="layui-layer-input" value="' + self.path + '" placeholder="file name">',
+      content: '<input type="text" style="width:300px;" class="layui-layer-input" id="url_' + hash + '" value="http://" placeholder="target url"><p/><input style="width:300px;" type="text" id="path_' + hash + '" class="layui-layer-input" value="' + antSword.noxss(self.path) + '" placeholder="file name">',
       btn: ['wget'],
       yes: (i) => {