Version 3.3.7
去除addslashes转义(无sql),确保UI显示的是非转义的结果
This commit is contained in:
firesun
42
api.php
42
api.php
@@ -55,6 +55,11 @@ else if ( isset( $_GET['js_template_cmd'] ) ) {
|
|||||||
//添加js模板
|
//添加js模板
|
||||||
case 'add':
|
case 'add':
|
||||||
if ( isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
if ( isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
||||||
|
if (get_magic_quotes_gpc()) {
|
||||||
|
$_POST['name'] = stripslashes($_POST['name']);
|
||||||
|
$_POST['desc'] = stripslashes($_POST['desc']);
|
||||||
|
$_POST['content'] = stripslashes($_POST['content']);
|
||||||
|
}
|
||||||
$result = save_js_desc( JS_TEMPLATE_PATH, $_POST['desc'], $_POST['name'] )
|
$result = save_js_desc( JS_TEMPLATE_PATH, $_POST['desc'], $_POST['name'] )
|
||||||
&& save_js_content( JS_TEMPLATE_PATH, $_POST['content'], $_POST['name'] );
|
&& save_js_content( JS_TEMPLATE_PATH, $_POST['content'], $_POST['name'] );
|
||||||
echo json_encode( $result );
|
echo json_encode( $result );
|
||||||
@@ -67,6 +72,12 @@ else if ( isset( $_GET['js_template_cmd'] ) ) {
|
|||||||
//修改js模板
|
//修改js模板
|
||||||
case 'modify':
|
case 'modify':
|
||||||
if ( isset( $_POST['old_name'] ) && isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
if ( isset( $_POST['old_name'] ) && isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
||||||
|
if (get_magic_quotes_gpc()) {
|
||||||
|
$_POST['old_name'] = stripslashes($_POST['old_name']);
|
||||||
|
$_POST['name'] = stripslashes($_POST['name']);
|
||||||
|
$_POST['desc'] = stripslashes($_POST['desc']);
|
||||||
|
$_POST['content'] = stripslashes($_POST['content']);
|
||||||
|
}
|
||||||
$result = true;
|
$result = true;
|
||||||
if ( $_POST['old_name'] != $_POST['name'] )
|
if ( $_POST['old_name'] != $_POST['name'] )
|
||||||
$result = delete_js( JS_TEMPLATE_PATH, $_POST['old_name'] );
|
$result = delete_js( JS_TEMPLATE_PATH, $_POST['old_name'] );
|
||||||
@@ -85,16 +96,22 @@ else if ( isset( $_GET['js_template_cmd'] ) ) {
|
|||||||
|
|
||||||
//获取某一js模板的内容
|
//获取某一js模板的内容
|
||||||
case 'get':
|
case 'get':
|
||||||
if ( isset( $_GET['name'] ) )
|
if ( isset( $_GET['name'] ) ) {
|
||||||
|
if (get_magic_quotes_gpc())
|
||||||
|
$_POST['name'] = stripslashes($_POST['name']);
|
||||||
echo json_encode( load_js_content( JS_TEMPLATE_PATH, $_GET['name'] ) );
|
echo json_encode( load_js_content( JS_TEMPLATE_PATH, $_GET['name'] ) );
|
||||||
|
}
|
||||||
else
|
else
|
||||||
echo json_encode( false );
|
echo json_encode( false );
|
||||||
break;
|
break;
|
||||||
|
|
||||||
//删除js模板
|
//删除js模板
|
||||||
case 'del':
|
case 'del':
|
||||||
if ( isset( $_GET['name'] ) )
|
if ( isset( $_GET['name'] ) ) {
|
||||||
|
if (get_magic_quotes_gpc())
|
||||||
|
$_POST['name'] = stripslashes($_POST['name']);
|
||||||
echo json_encode( delete_js( JS_TEMPLATE_PATH, $_GET['name'] ) );
|
echo json_encode( delete_js( JS_TEMPLATE_PATH, $_GET['name'] ) );
|
||||||
|
}
|
||||||
else
|
else
|
||||||
echo json_encode( false );
|
echo json_encode( false );
|
||||||
break;
|
break;
|
||||||
@@ -119,6 +136,11 @@ else if ( isset( $_GET['my_js_cmd'] ) ) {
|
|||||||
//添加js模板
|
//添加js模板
|
||||||
case 'add':
|
case 'add':
|
||||||
if ( isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
if ( isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
||||||
|
if (get_magic_quotes_gpc()) {
|
||||||
|
$_POST['name'] = stripslashes($_POST['name']);
|
||||||
|
$_POST['desc'] = stripslashes($_POST['desc']);
|
||||||
|
$_POST['content'] = stripslashes($_POST['content']);
|
||||||
|
}
|
||||||
$result = save_js_desc( MY_JS_PATH, $_POST['desc'], $_POST['name'] )
|
$result = save_js_desc( MY_JS_PATH, $_POST['desc'], $_POST['name'] )
|
||||||
&& save_js_content( MY_JS_PATH, $_POST['content'], $_POST['name'] );
|
&& save_js_content( MY_JS_PATH, $_POST['content'], $_POST['name'] );
|
||||||
echo json_encode( $result );
|
echo json_encode( $result );
|
||||||
@@ -131,6 +153,12 @@ else if ( isset( $_GET['my_js_cmd'] ) ) {
|
|||||||
//修改js模板
|
//修改js模板
|
||||||
case 'modify':
|
case 'modify':
|
||||||
if ( isset( $_POST['old_name'] ) && isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
if ( isset( $_POST['old_name'] ) && isset( $_POST['name'] ) && isset( $_POST['desc'] ) && isset( $_POST['content'] ) ) {
|
||||||
|
if (get_magic_quotes_gpc()) {
|
||||||
|
$_POST['old_name'] = stripslashes($_POST['old_name']);
|
||||||
|
$_POST['name'] = stripslashes($_POST['name']);
|
||||||
|
$_POST['desc'] = stripslashes($_POST['desc']);
|
||||||
|
$_POST['content'] = stripslashes($_POST['content']);
|
||||||
|
}
|
||||||
$result = true;
|
$result = true;
|
||||||
if ( $_POST['old_name'] != $_POST['name'] )
|
if ( $_POST['old_name'] != $_POST['name'] )
|
||||||
$result = delete_js( MY_JS_PATH, $_POST['old_name'] );
|
$result = delete_js( MY_JS_PATH, $_POST['old_name'] );
|
||||||
@@ -147,16 +175,22 @@ else if ( isset( $_GET['my_js_cmd'] ) ) {
|
|||||||
|
|
||||||
//获取某一js模板的内容
|
//获取某一js模板的内容
|
||||||
case 'get':
|
case 'get':
|
||||||
if ( isset( $_GET['name'] ) )
|
if ( isset( $_GET['name'] ) ) {
|
||||||
|
if (get_magic_quotes_gpc())
|
||||||
|
$_POST['name'] = stripslashes($_POST['name']);
|
||||||
echo json_encode( load_js_content( MY_JS_PATH, $_GET['name'] ) );
|
echo json_encode( load_js_content( MY_JS_PATH, $_GET['name'] ) );
|
||||||
|
}
|
||||||
else
|
else
|
||||||
echo json_encode( false );
|
echo json_encode( false );
|
||||||
break;
|
break;
|
||||||
|
|
||||||
//删除js模板
|
//删除js模板
|
||||||
case 'del':
|
case 'del':
|
||||||
if ( isset( $_GET['name'] ) )
|
if ( isset( $_GET['name'] ) ) {
|
||||||
|
if (get_magic_quotes_gpc())
|
||||||
|
$_POST['name'] = stripslashes($_POST['name']);
|
||||||
echo json_encode( delete_js( MY_JS_PATH, $_GET['name'] ) );
|
echo json_encode( delete_js( MY_JS_PATH, $_GET['name'] ) );
|
||||||
|
}
|
||||||
else
|
else
|
||||||
echo json_encode( false );
|
echo json_encode( false );
|
||||||
break;
|
break;
|
||||||
|
|||||||
10
dio.php
10
dio.php
@@ -50,7 +50,7 @@ function load_xss_record( $id ) {
|
|||||||
|
|
||||||
$isChange = false;
|
$isChange = false;
|
||||||
if ( !isset( $info['location'] ) ) {
|
if ( !isset( $info['location'] ) ) {
|
||||||
$info['location'] = stripStr( convertip( $info['user_IP'], IPDATA_PATH ) );
|
$info['location'] = convertip( $info['user_IP'], IPDATA_PATH );
|
||||||
$isChange = true;
|
$isChange = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -116,7 +116,7 @@ function list_xss_record_detail() {
|
|||||||
$isChange = false;
|
$isChange = false;
|
||||||
//如果没有设置location,就查询qqwry.dat判断location
|
//如果没有设置location,就查询qqwry.dat判断location
|
||||||
if ( !isset( $info['location'] ) ) {
|
if ( !isset( $info['location'] ) ) {
|
||||||
$info['location'] = stripStr( convertip( $info['user_IP'], IPDATA_PATH ) );
|
$info['location'] = convertip( $info['user_IP'], IPDATA_PATH );
|
||||||
$isChange = true;
|
$isChange = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -216,7 +216,7 @@ function list_js_name_and_desc( $path ) {
|
|||||||
$filename = preg_replace( '/^.+[\\\\\\/]/', '', $file );
|
$filename = preg_replace( '/^.+[\\\\\\/]/', '', $file );
|
||||||
$filename = substr( $filename, 0, strlen( $filename ) - 3 );
|
$filename = substr( $filename, 0, strlen( $filename ) - 3 );
|
||||||
$item['js_name'] = $filename;
|
$item['js_name'] = $filename;
|
||||||
$item['js_name_abbr'] = stripStr( $filename );
|
$item['js_name_abbr'] = htmlspecialchars($filename, ENT_QUOTES, 'UTF-8');
|
||||||
|
|
||||||
$result = @file_get_contents( dirname(__FILE__) . '/' . $path . '/' . $filename . '.desc' );
|
$result = @file_get_contents( dirname(__FILE__) . '/' . $path . '/' . $filename . '.desc' );
|
||||||
$result = $result ? $result : "";
|
$result = $result ? $result : "";
|
||||||
@@ -228,9 +228,9 @@ function list_js_name_and_desc( $path ) {
|
|||||||
$result = "加密密码不符,无法获得描述";
|
$result = "加密密码不符,无法获得描述";
|
||||||
|
|
||||||
$item['js_description'] = $result;
|
$item['js_description'] = $result;
|
||||||
$item['js_description_abbr'] = stripStr( $result );
|
$item['js_description_abbr'] = htmlspecialchars($result, ENT_QUOTES, 'UTF-8');
|
||||||
|
|
||||||
//特别注意:只有js_name_abbr,js_description_abbr经过stripStr处理
|
//特别注意:只有js_name_abbr,js_description_abbr经过htmlspecialchars处理
|
||||||
$list[] = $item;
|
$list[] = $item;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -48,7 +48,7 @@ function isKeepSession($info) {
|
|||||||
function stripStr($str) {
|
function stripStr($str) {
|
||||||
if (get_magic_quotes_gpc())
|
if (get_magic_quotes_gpc())
|
||||||
$str = stripslashes($str);
|
$str = stripslashes($str);
|
||||||
return addslashes(htmlspecialchars($str, ENT_QUOTES, 'UTF-8'));
|
return htmlspecialchars($str, ENT_QUOTES, 'UTF-8');
|
||||||
}
|
}
|
||||||
|
|
||||||
function stripArr($arr) {
|
function stripArr($arr) {
|
||||||
@@ -121,7 +121,7 @@ function decrypt($info) {
|
|||||||
return $info;
|
return $info;
|
||||||
}
|
}
|
||||||
|
|
||||||
//基于Discuz X3.1 function_misc.php
|
//基于Discuz X3.1 function_misc.php 函数已过滤,可直接输出
|
||||||
function convertip($ip, $ipdatafile) {
|
function convertip($ip, $ipdatafile) {
|
||||||
$ipaddr = '未知';
|
$ipaddr = '未知';
|
||||||
if (preg_match("/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/", $ip)) {
|
if (preg_match("/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/", $ip)) {
|
||||||
|
|||||||
@@ -49,7 +49,7 @@ if (KEEP_SESSION) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//可加上sleep来防止keepsession被ddos
|
//可加上sleep来防止keepsession被ddos
|
||||||
//sleep(10);
|
//sleep(10);
|
||||||
flock($pid, LOCK_UN);
|
flock($pid, LOCK_UN);
|
||||||
}
|
}
|
||||||
@@ -75,7 +75,7 @@ function getCookie($info)
|
|||||||
else if (isset($info['cookie_data']['cookie']) && $info['cookie_data']['cookie'] != "")
|
else if (isset($info['cookie_data']['cookie']) && $info['cookie_data']['cookie'] != "")
|
||||||
$cookie = $info['cookie_data']['cookie'];
|
$cookie = $info['cookie_data']['cookie'];
|
||||||
|
|
||||||
return htmlspecialchars_decode(stripslashes($cookie), ENT_QUOTES);
|
return htmlspecialchars_decode($cookie, ENT_QUOTES);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -98,5 +98,5 @@ function getLocation($info)
|
|||||||
else if (isset($info['headers_data']['Referer']) && $info['headers_data']['Referer'] != "")
|
else if (isset($info['headers_data']['Referer']) && $info['headers_data']['Referer'] != "")
|
||||||
$location = $info['headers_data']['Referer'];
|
$location = $info['headers_data']['Referer'];
|
||||||
|
|
||||||
return htmlspecialchars_decode(stripslashes($location), ENT_QUOTES);
|
return htmlspecialchars_decode($location, ENT_QUOTES);
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user