Skip to content

A
antSword
Commit b1ed898e authored by Medicean's avatar Medicean
Browse files
Options

(Core:Security) request 全局转义

parent f28f0863
Show whitespace changes
Inline Side-by-side
Showing with 53 additions and 54 deletions
modules/request.js
View file @ b1ed898e
......@@ -192,7 +192,7 @@ class Request {
_request.send = _request.field;
for (var key in _postData) {
if (_postData.hasOwnProperty(key)) {
let _tmp = encodeURIComponent(_postData[key]).replace(/asunescape\((.+?)\)/g, function ($, $1) {
let _tmp = (_postData[key]).replace(/asunescape\((.+?)\)/g, function ($, $1) {
return unescape($1)
});
_postarr[key] = _tmp;
......
source/app.entry.js
View file @ b1ed898e
......@@ -37,6 +37,24 @@ const antSword = window.antSword = {
}
return _html;
},
/**
* unxss
* @param {String} html 转义的字符串
* @param {Boolean} wrap 是否反转义换行
* @return {String} 反转义后的字符串
*/
unxss: (html = '', wrap = true) => {
let _html = String(html)
.replace(/'/g, "'")
.replace(/>/g, ">")
.replace(/&lt;/g, "<")
.replace(/&quot;/g, '"')
.replace(/&amp;/g, "&");
if (wrap) {
_html = _html.replace(/<br\/>/g, '\n'); // 只替换 noxss 转义过的
}
return _html;
},
/**
* 终端日志数据
* @type {Array}
......
source/core/base.js
View file @ b1ed898e
......@@ -303,8 +303,8 @@ class Base {
let text = antSword.Decodes.decode(buff, encoding);
return res({
'encoding': encoding || "",
'text': text,
'buff': buff
'text': antSword.noxss(text, false),
'buff': Buffer.from(antSword.noxss(buff.toString()), false)
});
})
// HTTP请求返回字节流
......
source/modules/database/asp/index.js
View file @ b1ed898e
......@@ -553,11 +553,11 @@ class ASP {
return
};
const _db = Buffer
.from(_)
.from(antSword.unxss(_))
.toString('base64');
this
.tree
.insertNewItem(`conn::${id}`, `database::${id}:${_db}`, antSword.noxss(_), null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
.insertNewItem(`conn::${id}`, `database::${id}:${_db}`, _, null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
});
this
.manager
......@@ -613,11 +613,11 @@ class ASP {
return
};
const _table = Buffer
.from(_)
.from(antSword.unxss(_))
.toString('base64');
this
.tree
.insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, antSword.noxss(_), null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]);
.insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, _, null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]);
});
this
.manager
......@@ -692,8 +692,9 @@ class ASP {
if (!_) {
return
};
_ = antSword.unxss(_);
const _column = Buffer
.from(_.substr(0, _.length - _.lastIndexOf(' ')))
.from(_.substr(0, _.lastIndexOf(' ')))
.toString('base64');
this
.tree
......@@ -782,10 +783,7 @@ class ASP {
return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
};
// 3.行头
let header_arr = antSword
.noxss(arr[0])
.replace(/,/g, '&#44;')
.split('\t|\t');
let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
if (header_arr.length === 1) {
return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
};
......@@ -797,9 +795,6 @@ class ASP {
let data_arr = [];
arr.map((_) => {
let _data = _.split('\t|\t');
for (let i = 0; i < _data.length; i++) {
_data[i] = antSword.noxss(_data[i], false);
}
data_arr.push(_data);
});
data_arr.pop();
......
source/modules/database/custom/index.js
View file @ b1ed898e
......@@ -516,11 +516,7 @@ class CUSTOM {
// 获取数据库列表
getDatabases(id) {
this
.manager
.list
.layout
.progressOn();
this.manager.list.layout.progressOn();
// 获取配置
const conf = antSword['ipcRenderer'].sendSync('shell-getDataConf', {
_id: this.manager.opt['_id'],
......@@ -546,20 +542,14 @@ class CUSTOM {
.progressOff();
};
// 删除子节点
this
.tree
.deleteChildItems(`conn::${id}`);
this.tree.deleteChildItems(`conn::${id}`);
// 添加子节点
arr.map((_) => {
if (!_) {
return
};
const _db = Buffer
.from(_)
.toString('base64');
this
.tree
.insertNewItem(`conn::${id}`, `database::${id}:${_db}`, antSword.noxss(_), null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
const _db = Buffer.from(antSword.unxss(_)).toString('base64');
this.tree.insertNewItem(`conn::${id}`, `database::${id}:${_db}`, _, null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
});
this
.manager
......@@ -600,24 +590,20 @@ class CUSTOM {
.then((res) => {
let ret = res['text'];
const arr = ret.split('\t');
const _db = Buffer
.from(db)
.toString('base64');
const _db = Buffer.from(db).toString('base64');
// 删除子节点
this
.tree
.deleteChildItems(`database::${id}:${_db}`);
this.tree.deleteChildItems(`database::${id}:${_db}`);
// 添加子节点
arr.map((_) => {
if (!_) {
return
};
const _table = Buffer
.from(_)
.from(antSword.unxss(_))
.toString('base64');
this
.tree
.insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, antSword.noxss(_), null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]);
.insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, _, null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]);
});
this
.manager
......@@ -674,8 +660,9 @@ class CUSTOM {
if (!_) {
return
};
_ = antSword.unxss(_);
const _column = Buffer
.from(_.substr(0, _.length - _.lastIndexOf(' ')))
.from(_.substr(0, _.lastIndexOf(' ')))
.toString('base64');
this
.tree
......@@ -751,10 +738,7 @@ class CUSTOM {
return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
};
// 3.行头
let header_arr = antSword
.noxss(arr[0])
.replace(/,/g, '&#44;')
.split('\t|\t');
let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
if (header_arr.length === 1) {
return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
};
......
source/modules/database/php/index.js
View file @ b1ed898e
......@@ -1271,7 +1271,7 @@ class PHP {
let dbname = Buffer.from(treeselect.split('::')[1].split(":")[1],"base64").toString();
let tablename = Buffer.from(treeselect.split('::')[1].split(":")[2],"base64").toString();
let columnname = Buffer.from(treeselect.split('::')[1].split(":")[3],"base64").toString();
let columntyperaw = this.tree.getSelectedItemText();
let columntyperaw = antSword.unxss(this.tree.getSelectedItemText());
let columntype = null;
var ctypereg = new RegExp(columnname+'\\s\\((.+?\\))\\)');
var res = columntyperaw.match(ctypereg);
......@@ -1383,11 +1383,11 @@ class PHP {
// 添加子节点
arr.map((_) => {
if (!_) { return };
const _db = Buffer.from(_).toString('base64');
const _db = Buffer.from(antSword.unxss(_, false)).toString('base64');
this.tree.insertNewItem(
`conn::${id}`,
`database::${id}:${_db}`,
antSword.noxss(_), null,
_, null,
this.manager.list.imgs[1],
this.manager.list.imgs[1],
this.manager.list.imgs[1]);
......@@ -1427,11 +1427,11 @@ class PHP {
// 添加子节点
arr.map((_) => {
if (!_) { return };
const _table = Buffer.from(_).toString('base64');
const _table = Buffer.from(antSword.unxss(_, false)).toString('base64');
this.tree.insertNewItem(
`database::${id}:${_db}`,
`table::${id}:${_db}:${_table}`,
antSword.noxss(_),
_,
null,
this.manager.list.imgs[2],
this.manager.list.imgs[2],
......@@ -1475,7 +1475,9 @@ class PHP {
// 添加子节点
arr.map((_) => {
if (!_) { return };
const _column = Buffer.from(_.substr(0, _.length - _.lastIndexOf(' '))).toString('base64');
_ = antSword.unxss(_, false);
const _column = Buffer.from(_.substr(0, _.lastIndexOf(' '))).toString('base64');
this.tree.insertNewItem(
`table::${id}:${_db}:${_table}`,
`column::${id}:${_db}:${_table}:${_column}`,
......@@ -1562,7 +1564,7 @@ class PHP {
return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
};
// 3.行头
let header_arr = antSword.noxss(arr[0]).replace(/,/g, '&#44;').split('\t|\t');
let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
if (header_arr.length === 1) {
return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
};
......@@ -1623,7 +1625,7 @@ class PHP {
return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
};
// 3.行头
let header_arr = antSword.noxss(arr[0]).replace(/,/g, '&#44;').split('\t|\t');
let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
if (header_arr.length === 1) {
return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
};
......
source/modules/filemanager/index.js
View file @ b1ed898e
......@@ -172,7 +172,7 @@ class FileManager {
path: path
})
).then((res) => {
let ret = res['text'];
let ret = antSword.unxss(res['text']);
// 判断是否出错
if (ret.startsWith('ERROR://')) {
callback([]);
......@@ -1036,8 +1036,8 @@ class FileManager {
path: path
})
).then((res) => {
let ret = res['text'];
codes = res['buff'];
let ret = antSword.unxss(res['text'], false);
codes = Buffer.from(antSword.unxss(res['buff'].toString(), false));
let encoding = res['encoding'] || this.opts['encode'];
if (encoding.toUpperCase() == "UTF-8") {
encoding = "UTF8";
......
source/modules/terminal/index.js
View file @ b1ed898e
......@@ -311,7 +311,7 @@ class Terminal {
bin: _bin
}))
.then((ret) => {
let _ = ret['text'];
let _ = antSword.unxss(ret['text'], false);
// 解析出命令执行路径
const indexS = _.lastIndexOf('[S]');
const indexE = _.lastIndexOf('[E]');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment