Version 3.3.7
去除addslashes转义(无sql),确保UI显示的是非转义的结果
This commit is contained in:
firesun
42
api.php
42
api.php
@@ -55,6 +55,11 @@ else if ( isset( $_GET['js_template_cmd'] ) ) {
|
||||
//添加js模板
|
||||
case 'add':
|
||||
if ( isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
||||
if (get_magic_quotes_gpc()) {
|
||||
$_POST['name'] = stripslashes($_POST['name']);
|
||||
$_POST['desc'] = stripslashes($_POST['desc']);
|
||||
$_POST['content'] = stripslashes($_POST['content']);
|
||||
}
|
||||
$result = save_js_desc( JS_TEMPLATE_PATH, $_POST['desc'], $_POST['name'] )
|
||||
&& save_js_content( JS_TEMPLATE_PATH, $_POST['content'], $_POST['name'] );
|
||||
echo json_encode( $result );
|
||||
@@ -67,6 +72,12 @@ else if ( isset( $_GET['js_template_cmd'] ) ) {
|
||||
//修改js模板
|
||||
case 'modify':
|
||||
if ( isset( $_POST['old_name'] ) && isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
||||
if (get_magic_quotes_gpc()) {
|
||||
$_POST['old_name'] = stripslashes($_POST['old_name']);
|
||||
$_POST['name'] = stripslashes($_POST['name']);
|
||||
$_POST['desc'] = stripslashes($_POST['desc']);
|
||||
$_POST['content'] = stripslashes($_POST['content']);
|
||||
}
|
||||
$result = true;
|
||||
if ( $_POST['old_name'] != $_POST['name'] )
|
||||
$result = delete_js( JS_TEMPLATE_PATH, $_POST['old_name'] );
|
||||
@@ -85,16 +96,22 @@ else if ( isset( $_GET['js_template_cmd'] ) ) {
|
||||
|
||||
//获取某一js模板的内容
|
||||
case 'get':
|
||||
if ( isset( $_GET['name'] ) )
|
||||
if ( isset( $_GET['name'] ) ) {
|
||||
if (get_magic_quotes_gpc())
|
||||
$_POST['name'] = stripslashes($_POST['name']);
|
||||
echo json_encode( load_js_content( JS_TEMPLATE_PATH, $_GET['name'] ) );
|
||||
}
|
||||
else
|
||||
echo json_encode( false );
|
||||
break;
|
||||
|
||||
//删除js模板
|
||||
case 'del':
|
||||
if ( isset( $_GET['name'] ) )
|
||||
if ( isset( $_GET['name'] ) ) {
|
||||
if (get_magic_quotes_gpc())
|
||||
$_POST['name'] = stripslashes($_POST['name']);
|
||||
echo json_encode( delete_js( JS_TEMPLATE_PATH, $_GET['name'] ) );
|
||||
}
|
||||
else
|
||||
echo json_encode( false );
|
||||
break;
|
||||
@@ -119,6 +136,11 @@ else if ( isset( $_GET['my_js_cmd'] ) ) {
|
||||
//添加js模板
|
||||
case 'add':
|
||||
if ( isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
||||
if (get_magic_quotes_gpc()) {
|
||||
$_POST['name'] = stripslashes($_POST['name']);
|
||||
$_POST['desc'] = stripslashes($_POST['desc']);
|
||||
$_POST['content'] = stripslashes($_POST['content']);
|
||||
}
|
||||
$result = save_js_desc( MY_JS_PATH, $_POST['desc'], $_POST['name'] )
|
||||
&& save_js_content( MY_JS_PATH, $_POST['content'], $_POST['name'] );
|
||||
echo json_encode( $result );
|
||||
@@ -131,6 +153,12 @@ else if ( isset( $_GET['my_js_cmd'] ) ) {
|
||||
//修改js模板
|
||||
case 'modify':
|
||||
if ( isset( $_POST['old_name'] ) && isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
||||
if (get_magic_quotes_gpc()) {
|
||||
$_POST['old_name'] = stripslashes($_POST['old_name']);
|
||||
$_POST['name'] = stripslashes($_POST['name']);
|
||||
$_POST['desc'] = stripslashes($_POST['desc']);
|
||||
$_POST['content'] = stripslashes($_POST['content']);
|
||||
}
|
||||
$result = true;
|
||||
if ( $_POST['old_name'] != $_POST['name'] )
|
||||
$result = delete_js( MY_JS_PATH, $_POST['old_name'] );
|
||||
@@ -147,16 +175,22 @@ else if ( isset( $_GET['my_js_cmd'] ) ) {
|
||||
|
||||
//获取某一js模板的内容
|
||||
case 'get':
|
||||
if ( isset( $_GET['name'] ) )
|
||||
if ( isset( $_GET['name'] ) ) {
|
||||
if (get_magic_quotes_gpc())
|
||||
$_POST['name'] = stripslashes($_POST['name']);
|
||||
echo json_encode( load_js_content( MY_JS_PATH, $_GET['name'] ) );
|
||||
}
|
||||
else
|
||||
echo json_encode( false );
|
||||
break;
|
||||
|
||||
//删除js模板
|
||||
case 'del':
|
||||
if ( isset( $_GET['name'] ) )
|
||||
if ( isset( $_GET['name'] ) ) {
|
||||
if (get_magic_quotes_gpc())
|
||||
$_POST['name'] = stripslashes($_POST['name']);
|
||||
echo json_encode( delete_js( MY_JS_PATH, $_GET['name'] ) );
|
||||
}
|
||||
else
|
||||
echo json_encode( false );
|
||||
break;
|
||||
|
||||
10
dio.php
10
dio.php
@@ -50,7 +50,7 @@ function load_xss_record( $id ) {
|
||||
|
||||
$isChange = false;
|
||||
if ( !isset( $info['location'] ) ) {
|
||||
$info['location'] = stripStr( convertip( $info['user_IP'], IPDATA_PATH ) );
|
||||
$info['location'] = convertip( $info['user_IP'], IPDATA_PATH );
|
||||
$isChange = true;
|
||||
}
|
||||
|
||||
@@ -116,7 +116,7 @@ function list_xss_record_detail() {
|
||||
$isChange = false;
|
||||
//如果没有设置location,就查询qqwry.dat判断location
|
||||
if ( !isset( $info['location'] ) ) {
|
||||
$info['location'] = stripStr( convertip( $info['user_IP'], IPDATA_PATH ) );
|
||||
$info['location'] = convertip( $info['user_IP'], IPDATA_PATH );
|
||||
$isChange = true;
|
||||
}
|
||||
|
||||
@@ -216,7 +216,7 @@ function list_js_name_and_desc( $path ) {
|
||||
$filename = preg_replace( '/^.+[\\\\\\/]/', '', $file );
|
||||
$filename = substr( $filename, 0, strlen( $filename ) - 3 );
|
||||
$item['js_name'] = $filename;
|
||||
$item['js_name_abbr'] = stripStr( $filename );
|
||||
$item['js_name_abbr'] = htmlspecialchars($filename, ENT_QUOTES, 'UTF-8');
|
||||
|
||||
$result = @file_get_contents( dirname(__FILE__) . '/' . $path . '/' . $filename . '.desc' );
|
||||
$result = $result ? $result : "";
|
||||
@@ -228,9 +228,9 @@ function list_js_name_and_desc( $path ) {
|
||||
$result = "加密密码不符,无法获得描述";
|
||||
|
||||
$item['js_description'] = $result;
|
||||
$item['js_description_abbr'] = stripStr( $result );
|
||||
$item['js_description_abbr'] = htmlspecialchars($result, ENT_QUOTES, 'UTF-8');
|
||||
|
||||
//特别注意:只有js_name_abbr,js_description_abbr经过stripStr处理
|
||||
//特别注意:只有js_name_abbr,js_description_abbr经过htmlspecialchars处理
|
||||
$list[] = $item;
|
||||
|
||||
}
|
||||
|
||||
@@ -48,7 +48,7 @@ function isKeepSession($info) {
|
||||
function stripStr($str) {
|
||||
if (get_magic_quotes_gpc())
|
||||
$str = stripslashes($str);
|
||||
return addslashes(htmlspecialchars($str, ENT_QUOTES, 'UTF-8'));
|
||||
return htmlspecialchars($str, ENT_QUOTES, 'UTF-8');
|
||||
}
|
||||
|
||||
function stripArr($arr) {
|
||||
@@ -121,7 +121,7 @@ function decrypt($info) {
|
||||
return $info;
|
||||
}
|
||||
|
||||
//基于Discuz X3.1 function_misc.php
|
||||
//基于Discuz X3.1 function_misc.php 函数已过滤,可直接输出
|
||||
function convertip($ip, $ipdatafile) {
|
||||
$ipaddr = '未知';
|
||||
if (preg_match("/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/", $ip)) {
|
||||
|
||||
@@ -49,7 +49,7 @@ if (KEEP_SESSION) {
|
||||
|
||||
}
|
||||
|
||||
//可加上sleep来防止keepsession被ddos
|
||||
//可加上sleep来防止keepsession被ddos
|
||||
//sleep(10);
|
||||
flock($pid, LOCK_UN);
|
||||
}
|
||||
@@ -75,7 +75,7 @@ function getCookie($info)
|
||||
else if (isset($info['cookie_data']['cookie']) && $info['cookie_data']['cookie'] != "")
|
||||
$cookie = $info['cookie_data']['cookie'];
|
||||
|
||||
return htmlspecialchars_decode(stripslashes($cookie), ENT_QUOTES);
|
||||
return htmlspecialchars_decode($cookie, ENT_QUOTES);
|
||||
|
||||
}
|
||||
|
||||
@@ -98,5 +98,5 @@ function getLocation($info)
|
||||
else if (isset($info['headers_data']['Referer']) && $info['headers_data']['Referer'] != "")
|
||||
$location = $info['headers_data']['Referer'];
|
||||
|
||||
return htmlspecialchars_decode(stripslashes($location), ENT_QUOTES);
|
||||
return htmlspecialchars_decode($location, ENT_QUOTES);
|
||||
}
|
||||
Reference in New Issue
Block a user