Skip to content

A
antSword
Commit b1ed898e authored by Medicean's avatar Medicean
Browse files
Options

(Core:Security) request 全局转义

parent f28f0863
Show whitespace changes
Inline Side-by-side
Showing with 53 additions and 54 deletions
modules/request.js
View file @ b1ed898e
...@@ -192,7 +192,7 @@ class Request { ...@@ -192,7 +192,7 @@ class Request {
_request.send = _request.field; _request.send = _request.field;
for (var key in _postData) { for (var key in _postData) {
if (_postData.hasOwnProperty(key)) { if (_postData.hasOwnProperty(key)) {
let _tmp = encodeURIComponent(_postData[key]).replace(/asunescape\((.+?)\)/g, function ($, $1) { let _tmp = (_postData[key]).replace(/asunescape\((.+?)\)/g, function ($, $1) {
return unescape($1) return unescape($1)
}); });
_postarr[key] = _tmp; _postarr[key] = _tmp;
......
source/app.entry.js
View file @ b1ed898e
...@@ -37,6 +37,24 @@ const antSword = window.antSword = { ...@@ -37,6 +37,24 @@ const antSword = window.antSword = {
} }
return _html; return _html;
}, },
/**
* unxss
* @param {String} html 转义的字符串
* @param {Boolean} wrap 是否反转义换行
* @return {String} 反转义后的字符串
*/
unxss: (html = '', wrap = true) => {
let _html = String(html)
.replace(/'/g, "'")
.replace(/>/g, ">")
.replace(/&lt;/g, "<")
.replace(/&quot;/g, '"')
.replace(/&amp;/g, "&");
if (wrap) {
_html = _html.replace(/<br\/>/g, '\n'); // 只替换 noxss 转义过的
}
return _html;
},
/** /**
* 终端日志数据 * 终端日志数据
* @type {Array} * @type {Array}
......
source/core/base.js
View file @ b1ed898e
...@@ -303,8 +303,8 @@ class Base { ...@@ -303,8 +303,8 @@ class Base {
let text = antSword.Decodes.decode(buff, encoding); let text = antSword.Decodes.decode(buff, encoding);
return res({ return res({
'encoding': encoding || "", 'encoding': encoding || "",
'text': text, 'text': antSword.noxss(text, false),
'buff': buff 'buff': Buffer.from(antSword.noxss(buff.toString()), false)
}); });
}) })
// HTTP请求返回字节流 // HTTP请求返回字节流
......
source/modules/database/asp/index.js
View file @ b1ed898e
...@@ -553,11 +553,11 @@ class ASP { ...@@ -553,11 +553,11 @@ class ASP {
return return
}; };
const _db = Buffer const _db = Buffer
.from(_) .from(antSword.unxss(_))
.toString('base64'); .toString('base64');
this this
.tree .tree
.insertNewItem(`conn::${id}`, `database::${id}:${_db}`, antSword.noxss(_), null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]); .insertNewItem(`conn::${id}`, `database::${id}:${_db}`, _, null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
}); });
this this
.manager .manager
...@@ -613,11 +613,11 @@ class ASP { ...@@ -613,11 +613,11 @@ class ASP {
return return
}; };
const _table = Buffer const _table = Buffer
.from(_) .from(antSword.unxss(_))
.toString('base64'); .toString('base64');
this this
.tree .tree
.insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, antSword.noxss(_), null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]); .insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, _, null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]);
}); });
this this
.manager .manager
...@@ -692,8 +692,9 @@ class ASP { ...@@ -692,8 +692,9 @@ class ASP {
if (!_) { if (!_) {
return return
}; };
_ = antSword.unxss(_);
const _column = Buffer const _column = Buffer
.from(_.substr(0, _.length - _.lastIndexOf(' '))) .from(_.substr(0, _.lastIndexOf(' ')))
.toString('base64'); .toString('base64');
this this
.tree .tree
...@@ -782,10 +783,7 @@ class ASP { ...@@ -782,10 +783,7 @@ class ASP {
return toastr.error(LANG['result']['error']['parse'], LANG_T['error']); return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
}; };
// 3.行头 // 3.行头
let header_arr = antSword let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
.noxss(arr[0])
.replace(/,/g, '&#44;')
.split('\t|\t');
if (header_arr.length === 1) { if (header_arr.length === 1) {
return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']); return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
}; };
...@@ -797,9 +795,6 @@ class ASP { ...@@ -797,9 +795,6 @@ class ASP {
let data_arr = []; let data_arr = [];
arr.map((_) => { arr.map((_) => {
let _data = _.split('\t|\t'); let _data = _.split('\t|\t');
for (let i = 0; i < _data.length; i++) {
_data[i] = antSword.noxss(_data[i], false);
}
data_arr.push(_data); data_arr.push(_data);
}); });
data_arr.pop(); data_arr.pop();
......
source/modules/database/custom/index.js
View file @ b1ed898e
...@@ -516,11 +516,7 @@ class CUSTOM { ...@@ -516,11 +516,7 @@ class CUSTOM {
// 获取数据库列表 // 获取数据库列表
getDatabases(id) { getDatabases(id) {
this this.manager.list.layout.progressOn();
.manager
.list
.layout
.progressOn();
// 获取配置 // 获取配置
const conf = antSword['ipcRenderer'].sendSync('shell-getDataConf', { const conf = antSword['ipcRenderer'].sendSync('shell-getDataConf', {
_id: this.manager.opt['_id'], _id: this.manager.opt['_id'],
...@@ -546,20 +542,14 @@ class CUSTOM { ...@@ -546,20 +542,14 @@ class CUSTOM {
.progressOff(); .progressOff();
}; };
// 删除子节点 // 删除子节点
this this.tree.deleteChildItems(`conn::${id}`);
.tree
.deleteChildItems(`conn::${id}`);
// 添加子节点 // 添加子节点
arr.map((_) => { arr.map((_) => {
if (!_) { if (!_) {
return return
}; };
const _db = Buffer const _db = Buffer.from(antSword.unxss(_)).toString('base64');
.from(_) this.tree.insertNewItem(`conn::${id}`, `database::${id}:${_db}`, _, null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
.toString('base64');
this
.tree
.insertNewItem(`conn::${id}`, `database::${id}:${_db}`, antSword.noxss(_), null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
}); });
this this
.manager .manager
...@@ -600,24 +590,20 @@ class CUSTOM { ...@@ -600,24 +590,20 @@ class CUSTOM {
.then((res) => { .then((res) => {
let ret = res['text']; let ret = res['text'];
const arr = ret.split('\t'); const arr = ret.split('\t');
const _db = Buffer const _db = Buffer.from(db).toString('base64');
.from(db)
.toString('base64');
// 删除子节点 // 删除子节点
this this.tree.deleteChildItems(`database::${id}:${_db}`);
.tree
.deleteChildItems(`database::${id}:${_db}`);
// 添加子节点 // 添加子节点
arr.map((_) => { arr.map((_) => {
if (!_) { if (!_) {
return return
}; };
const _table = Buffer const _table = Buffer
.from(_) .from(antSword.unxss(_))
.toString('base64'); .toString('base64');
this this
.tree .tree
.insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, antSword.noxss(_), null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]); .insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, _, null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]);
}); });
this this
.manager .manager
...@@ -674,8 +660,9 @@ class CUSTOM { ...@@ -674,8 +660,9 @@ class CUSTOM {
if (!_) { if (!_) {
return return
}; };
_ = antSword.unxss(_);
const _column = Buffer const _column = Buffer
.from(_.substr(0, _.length - _.lastIndexOf(' '))) .from(_.substr(0, _.lastIndexOf(' ')))
.toString('base64'); .toString('base64');
this this
.tree .tree
...@@ -751,10 +738,7 @@ class CUSTOM { ...@@ -751,10 +738,7 @@ class CUSTOM {
return toastr.error(LANG['result']['error']['parse'], LANG_T['error']); return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
}; };
// 3.行头 // 3.行头
let header_arr = antSword let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
.noxss(arr[0])
.replace(/,/g, '&#44;')
.split('\t|\t');
if (header_arr.length === 1) { if (header_arr.length === 1) {
return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']); return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
}; };
......
source/modules/database/php/index.js
View file @ b1ed898e
...@@ -1271,7 +1271,7 @@ class PHP { ...@@ -1271,7 +1271,7 @@ class PHP {
let dbname = Buffer.from(treeselect.split('::')[1].split(":")[1],"base64").toString(); let dbname = Buffer.from(treeselect.split('::')[1].split(":")[1],"base64").toString();
let tablename = Buffer.from(treeselect.split('::')[1].split(":")[2],"base64").toString(); let tablename = Buffer.from(treeselect.split('::')[1].split(":")[2],"base64").toString();
let columnname = Buffer.from(treeselect.split('::')[1].split(":")[3],"base64").toString(); let columnname = Buffer.from(treeselect.split('::')[1].split(":")[3],"base64").toString();
let columntyperaw = this.tree.getSelectedItemText(); let columntyperaw = antSword.unxss(this.tree.getSelectedItemText());
let columntype = null; let columntype = null;
var ctypereg = new RegExp(columnname+'\\s\\((.+?\\))\\)'); var ctypereg = new RegExp(columnname+'\\s\\((.+?\\))\\)');
var res = columntyperaw.match(ctypereg); var res = columntyperaw.match(ctypereg);
...@@ -1383,11 +1383,11 @@ class PHP { ...@@ -1383,11 +1383,11 @@ class PHP {
// 添加子节点 // 添加子节点
arr.map((_) => { arr.map((_) => {
if (!_) { return }; if (!_) { return };
const _db = Buffer.from(_).toString('base64'); const _db = Buffer.from(antSword.unxss(_, false)).toString('base64');
this.tree.insertNewItem( this.tree.insertNewItem(
`conn::${id}`, `conn::${id}`,
`database::${id}:${_db}`, `database::${id}:${_db}`,
antSword.noxss(_), null, _, null,
this.manager.list.imgs[1], this.manager.list.imgs[1],
this.manager.list.imgs[1], this.manager.list.imgs[1],
this.manager.list.imgs[1]); this.manager.list.imgs[1]);
...@@ -1427,11 +1427,11 @@ class PHP { ...@@ -1427,11 +1427,11 @@ class PHP {
// 添加子节点 // 添加子节点
arr.map((_) => { arr.map((_) => {
if (!_) { return }; if (!_) { return };
const _table = Buffer.from(_).toString('base64'); const _table = Buffer.from(antSword.unxss(_, false)).toString('base64');
this.tree.insertNewItem( this.tree.insertNewItem(
`database::${id}:${_db}`, `database::${id}:${_db}`,
`table::${id}:${_db}:${_table}`, `table::${id}:${_db}:${_table}`,
antSword.noxss(_), _,
null, null,
this.manager.list.imgs[2], this.manager.list.imgs[2],
this.manager.list.imgs[2], this.manager.list.imgs[2],
...@@ -1475,7 +1475,9 @@ class PHP { ...@@ -1475,7 +1475,9 @@ class PHP {
// 添加子节点 // 添加子节点
arr.map((_) => { arr.map((_) => {
if (!_) { return }; if (!_) { return };
const _column = Buffer.from(_.substr(0, _.length - _.lastIndexOf(' '))).toString('base64'); _ = antSword.unxss(_, false);
const _column = Buffer.from(_.substr(0, _.lastIndexOf(' '))).toString('base64');
this.tree.insertNewItem( this.tree.insertNewItem(
`table::${id}:${_db}:${_table}`, `table::${id}:${_db}:${_table}`,
`column::${id}:${_db}:${_table}:${_column}`, `column::${id}:${_db}:${_table}:${_column}`,
...@@ -1562,7 +1564,7 @@ class PHP { ...@@ -1562,7 +1564,7 @@ class PHP {
return toastr.error(LANG['result']['error']['parse'], LANG_T['error']); return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
}; };
// 3.行头 // 3.行头
let header_arr = antSword.noxss(arr[0]).replace(/,/g, '&#44;').split('\t|\t'); let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
if (header_arr.length === 1) { if (header_arr.length === 1) {
return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']); return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
}; };
...@@ -1623,7 +1625,7 @@ class PHP { ...@@ -1623,7 +1625,7 @@ class PHP {
return toastr.error(LANG['result']['error']['parse'], LANG_T['error']); return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
}; };
// 3.行头 // 3.行头
let header_arr = antSword.noxss(arr[0]).replace(/,/g, '&#44;').split('\t|\t'); let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
if (header_arr.length === 1) { if (header_arr.length === 1) {
return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']); return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
}; };
......
source/modules/filemanager/index.js
View file @ b1ed898e
...@@ -172,7 +172,7 @@ class FileManager { ...@@ -172,7 +172,7 @@ class FileManager {
path: path path: path
}) })
).then((res) => { ).then((res) => {
let ret = res['text']; let ret = antSword.unxss(res['text']);
// 判断是否出错 // 判断是否出错
if (ret.startsWith('ERROR://')) { if (ret.startsWith('ERROR://')) {
callback([]); callback([]);
...@@ -1036,8 +1036,8 @@ class FileManager { ...@@ -1036,8 +1036,8 @@ class FileManager {
path: path path: path
}) })
).then((res) => { ).then((res) => {
let ret = res['text']; let ret = antSword.unxss(res['text'], false);
codes = res['buff']; codes = Buffer.from(antSword.unxss(res['buff'].toString(), false));
let encoding = res['encoding'] || this.opts['encode']; let encoding = res['encoding'] || this.opts['encode'];
if (encoding.toUpperCase() == "UTF-8") { if (encoding.toUpperCase() == "UTF-8") {
encoding = "UTF8"; encoding = "UTF8";
......
source/modules/terminal/index.js
View file @ b1ed898e
...@@ -311,7 +311,7 @@ class Terminal { ...@@ -311,7 +311,7 @@ class Terminal {
bin: _bin bin: _bin
})) }))
.then((ret) => { .then((ret) => {
let _ = ret['text']; let _ = antSword.unxss(ret['text'], false);
// 解析出命令执行路径 // 解析出命令执行路径
const indexS = _.lastIndexOf('[S]'); const indexS = _.lastIndexOf('[S]');
const indexE = _.lastIndexOf('[E]'); const indexE = _.lastIndexOf('[E]');
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment