From e63a14d32a2fc6fa3f11efebea362d12662ddcfc Mon Sep 17 00:00:00 2001
From: Firesun <firesun.cn@gmail.com>
Date: Tue, 27 Dec 2016 21:49:19 +0800
Subject: [PATCH] =?UTF-8?q?Version=203.4.0=201.=20=E5=A2=9E=E5=8A=A0?=
 =?UTF-8?q?=E4=BA=86ADMIN=5FIP=5FCHECK=5FENABLE=E4=B8=8EXFF=5FENABLE?=
 =?UTF-8?q?=E4=B8=A4=E4=B8=AA=E9=80=89=E9=A1=B9=EF=BC=8C=E5=9C=A8=E6=9C=89?=
 =?UTF-8?q?=E5=8F=8D=E4=BB=A3=E6=88=96=E8=B4=9F=E8=BD=BD=E5=9D=87=E8=A1=A1?=
 =?UTF-8?q?=E7=9A=84=E6=83=85=E5=86=B5=E4=B8=8B=E5=8F=AF=E5=BC=80=E5=90=AF?=
 =?UTF-8?q?XFF=5FENABLE=EF=BC=8C=E5=85=B3=E9=97=ADADMIN=5FIP=5FCHECK=5FENA?=
 =?UTF-8?q?BLE=202.=20=E4=BF=AE=E5=A4=8D=E4=B8=80=E7=B3=BB=E5=88=97bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 admin.php                  |   2 +-
 api.php                    |   3 +-
 auth.php                   |  14 +-
 config-sample.php          |   2 +
 dio.php                    |   1 -
 functions.php              |  21 +
 index.php                  |   5 +-
 install.php                | 787 +++++++++++++++++++------------------
 login.php                  |   3 +-
 src/css/install.css        |   2 +-
 static/css/install.min.css |   2 +-
 11 files changed, 448 insertions(+), 394 deletions(-)
diff --git a/admin.php b/admin.php
index e2c1391..38c6943 100644
--- a/admin.php
+++ b/admin.php
@@ -1,6 +1,6 @@
 <?php
 define("IN_XSS_PLATFORM", true);
-require("auth.php");
+require_once("auth.php");
 ?>
 <!DOCTYPE html>
 <html>
diff --git a/api.php b/api.php
index 864f0d8..941830a 100644
--- a/api.php
+++ b/api.php
@@ -1,8 +1,7 @@
 <?php
+error_reporting(0);
 define("IN_XSS_PLATFORM", true);
 require_once('auth.php');
-require_once("load.php");
-require_once("functions.php");
 require_once("dio.php");
 header('Content-Type: application/json');
 
diff --git a/auth.php b/auth.php
index b5e21d0..3c8439d 100644
--- a/auth.php
+++ b/auth.php
@@ -3,12 +3,24 @@ if (!defined('IN_XSS_PLATFORM')) {
     exit('Access Denied');
 }
 
+require_once("functions.php");
+
 //设置httponly
 ini_set("session.cookie_httponly", 1);
 session_start();
 
 //判断登陆情况，ip和useragent是否改变，改变则强制退出
-if (!(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === $_SERVER['REMOTE_ADDR'] && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT'])) {
+if ( !(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) ) {
+    $_SESSION['isLogin']    = false;
+    $_SESSION['user_IP']    = "";
+    $_SESSION['user_agent'] = "";
+    session_unset();
+    session_destroy();
+    header("Location: login.php");
+    exit();
+}
+
+if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === getRealIP()) ) {
     $_SESSION['isLogin']    = false;
     $_SESSION['user_IP']    = "";
     $_SESSION['user_agent'] = "";
diff --git a/config-sample.php b/config-sample.php
index 7868bb7..333070d 100644
--- a/config-sample.php
+++ b/config-sample.php
@@ -11,6 +11,8 @@ define("ENCRYPT_ENABLE", true); //是否加密“xss记录，封禁ip列表，js
 define("ENCRYPT_PASS", "bluelotus"); //加密密码
 define("ENCRYPT_TYPE", "RC4"); //加密方法（AES或RC4）
 define("KEEP_SESSION", true); //是否启用KEEP_SESSION功能，需要外部定时访问keepsession.php
+define("ADMIN_IP_CHECK_ENABLE", true);//是否启用管理员ip认证，启用后，当xss平台发现ip变化，将会踢出管理员要求重新登录，如果发现经常异常退出控制面板，请关闭此项认证
+define("XFF_ENABLE", false);//是否使用HTTP_X_FORWARDED_FOR的地址来代替REMOTE_ADDR，当且仅当存在反代的情况下才须开启，开启须谨慎！
 define("IPDATA_PATH", "qqwry.dat"); //ip归属地数据库地址
 
 /*邮件通知相关配置*/
diff --git a/dio.php b/dio.php
index d705e5f..f0933e8 100644
--- a/dio.php
+++ b/dio.php
@@ -2,7 +2,6 @@
 if ( !defined('IN_XSS_PLATFORM') ) {
     exit('Access Denied');
 }
-require_once("load.php");
 require_once("functions.php");
 
 //时间戳的正则表达式
diff --git a/functions.php b/functions.php
index 45647c7..4c8bc04 100644
--- a/functions.php
+++ b/functions.php
@@ -121,6 +121,27 @@ function decrypt($info) {
     return $info;
 }
 
+//获得访问者真实ip
+function getRealIP(){
+    $ip="unknown";
+    if (XFF_ENABLE) {
+        foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_VIA', 'HTTP_FROM', 'REMOTE_ADDR') as $v) {
+            if (isset($_SERVER[$v])) {
+                if (! preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $_SERVER[$v])) {
+                    continue;
+                }
+                $ip = $_SERVER[$v];
+				break;
+            }
+        }
+    }
+    else {
+        if ( isset($_SERVER['REMOTE_ADDR']) )
+            $ip = $_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+
 //基于Discuz X3.1 function_misc.php 函数已过滤，可直接输出
 function convertip($ip, $ipdatafile) {
     $ipaddr = '未知';
diff --git a/index.php b/index.php
index d27b2f7..735e3dc 100644
--- a/index.php
+++ b/index.php
@@ -3,20 +3,19 @@ define("IN_XSS_PLATFORM", true);
 ignore_user_abort(true);
 error_reporting(0);
 
-//sometimes we only need "referfer".
+//sometimes we only need "referer".
 
 /*
 if(count($_GET)==0&&count($_POST)==0&&count($_COOKIE)==0)
 exit();
 */
 header("Access-Control-Allow-Origin:*");
-require_once("load.php");
 require_once("functions.php");
 require_once("dio.php");
 
 $info = array();
 
-$user_IP        = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : "unknown";
+$user_IP        = getRealIP();
 $user_port      = isset($_SERVER['REMOTE_PORT']) ? $_SERVER['REMOTE_PORT'] : "unknown";
 $protocol       = isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : "unknown";
 $request_method = isset($_SERVER['REQUEST_METHOD']) ? $_SERVER['REQUEST_METHOD'] : "unknown";
diff --git a/install.php b/install.php
index b4532d6..39cd6af 100644
--- a/install.php
+++ b/install.php
@@ -4,186 +4,190 @@ ignore_user_abort(true);
 
 //检测是否已经安装
 if ( file_exists('config.php') ) {
-	display_header();
-	
-	@unlink($_SERVER['SCRIPT_FILENAME']);
-	@unlink('config-sample.php');
-	die( '<h1>已安装</h1><p>请勿重复安装！</p><p class="step"><a href="login.php" class="button button-large">登录</a></p></body></html>' );
+    display_header();
+    
+    @unlink($_SERVER['SCRIPT_FILENAME']);
+    @unlink('config-sample.php');
+    die( '<h1>已安装</h1><p>请勿重复安装！</p><p class="step"><a href="login.php" class="button button-large">登录</a></p></body></html>' );
 }
 
 $step = isset( $_GET['step'] ) ? (int) $_GET['step'] : 0;
 
 switch($step) {
-	case 0: // 显示说明
-		display_header();
-		
+    case 0: // 显示说明
+        display_header();
+        
 ?>
 <form id="setup" method="post" action="?step=1">
-	<h1>欢迎</h1>
-	<p>欢迎使用本平台，安装开始前，请仔细阅读以下说明</p>
-	<p>手动安装方法：将config-sample.php改名为config.php，删除install.php即可。</p>
-	<h2>警告：</h2>
-	<p><b>本工具仅允许用于学习、研究场景，严禁用于任何非法用途！</b></p>
-	<p>人在做，天在看。善恶终有报，天道好轮回。不信抬头看，苍天饶过谁。</p>
-	<p class="step"><input name="submit" type="submit" value="安装" class="button button-large"></p>
+    <h1>欢迎</h1>
+    <p>欢迎使用本平台，安装开始前，请仔细阅读以下说明</p>
+    <p>手动安装方法：将config-sample.php改名为config.php，删除install.php即可。</p>
+    <h2>警告：</h2>
+    <p><b>本工具仅允许用于学习、研究场景，严禁用于任何非法用途！</b></p>
+    <p>人在做，天在看。善恶终有报，天道好轮回。不信抬头看，苍天饶过谁。</p>
+    <p class="step"><input name="submit" type="submit" value="安装" class="button button-large"></p>
 </form>
-<?php		
-		break;
-		
-	case 1: // 配置
-		display_header();
+<?php        
+        break;
+        
+    case 1: // 配置
+        display_header();
 ?>
 
 <h1>配置</h1>
 <p>请按照下面提示配置xss平台，默认配置可直接下一步</p>
 
 <?php
-		display_setup_form();
-		break;
-		
-	case 2: // 写入config.php
-		display_header();		
-		
-		//输入处理：使用stripStr过滤xss，使用json_encode生成最终string
-		$encrypt_enable = isset( $_POST['encrypt_enable'] ) ? true : false;
-		$keep_session_enable = isset( $_POST['keep_session_enable'] ) ? true : false;
-		$mail_enable = isset( $_POST['mail_enable'] ) ? true : false;
-		
-		$pass = isset( $_POST['pass'] ) ? stripStr($_POST['pass']) : '';
-		$encrypt_pass = isset( $_POST['encrypt_pass'] ) ? stripStr($_POST['encrypt_pass']) : '';
-		$mail_pass = isset( $_POST['mail_pass'] ) ? stripStr($_POST['mail_pass']) : '';
-		
-		$data_path = isset($_POST['data_path']) ? stripStr(trim( $_POST['data_path'] )) : '';
-		$js_template_path = isset( $_POST['js_template_path'] ) ? stripStr(trim( $_POST['js_template_path'] )) : '';
-		$my_js_path = isset( $_POST['my_js_path'] ) ? stripStr(trim( $_POST['my_js_path'] )) : '';
-		$encrypt_type = isset( $_POST['encrypt_type'] ) ? stripStr(trim( $_POST['encrypt_type'] )) : '';		
-		$ipdata_path = isset( $_POST['ipdata_path'] ) ? stripStr(trim( $_POST['ipdata_path'] )) : '';	
-		$smtp_server = isset( $_POST['smtp_server'] ) ? stripStr(trim( $_POST['smtp_server'] )) : '';
-		$smtp_port = isset( $_POST['smtp_port'] ) ? stripStr(trim( $_POST['smtp_port'] )) : '';
-		$smtp_secure = isset( $_POST['smtp_secure'] ) ? stripStr(trim( $_POST['smtp_secure'] )) : '';
-		$mail_user = isset( $_POST['mail_user'] ) ? stripStr(trim( $_POST['mail_user'] )) : '';
-		$mail_from = isset( $_POST['mail_from'] ) ? stripStr(trim( $_POST['mail_from'] )) : '';
-		$mail_recv = isset( $_POST['mail_recv'] ) ? stripStr(trim( $_POST['mail_recv'] )) : '';
-	
-		$error = false;
-			
-		if ( $pass==='' ) {
-			display_setup_form( '登录密码不可为空' );
-			$error = true;
-		}
-		else if ( !preg_match( '/^[0-9a-zA-Z_\/\\\.]+$/' , $data_path ) ) {
-			display_setup_form( 'xss数据存储路径非法' );
-			$error = true;
-		}
-		else if ( !is_dir ( $data_path ) ) {
-			
-			display_setup_form( 'xss数据存储路径不存在' );
-			$error = true;
-		}
-		else if ( !is_writable ( $data_path ) ) {
-			display_setup_form( 'xss数据存储路径不可写' );
-			$error = true;
-		}
-		else if ( glob($js_template_path.'/*')=== glob('static/js'.'/*') ) {
-			display_setup_form( 'js模板存储路径非法' );
-			$error = true;
-		}
-		else if ( !preg_match( '/^[0-9a-zA-Z_\/\\\.]+$/' , $js_template_path ) ) {
-			display_setup_form( 'js模板存储路径非法' );
-			$error = true;
-		}
-		else if ( !is_dir ( $js_template_path ) ) {
-			display_setup_form( 'js模板存储路径不存在' );
-			$error = true;
-		}
-		else if ( !is_writable ( $js_template_path ) ) {
-			display_setup_form( 'js模板存储路径不可写' );
-			$error = true;
-		}
-		else if ( glob($my_js_path.'/*')=== glob('static/js'.'/*') ) {
-			display_setup_form( '我的js存储路径非法' );
-			$error = true;
-		}
-		else if ( !preg_match( '/^[0-9a-zA-Z_\/\\\.]+$/' , $my_js_path ) ) {
-			display_setup_form( '我的js存储路径非法' );
-			$error = true;
-		}
-		else if ( !is_dir ( $my_js_path ) ) {
-			display_setup_form( '我的js存储路径不存在' );
-			$error = true;
-		}
-		else if ( !is_writable ( $my_js_path ) ) {
-			display_setup_form( '我的js存储路径不可写' );
-			$error = true;
-		}
-		else if ( $encrypt_enable && $encrypt_pass==='' ) {
-			display_setup_form( '加密密码不可为空' );
-			$error = true;
-		}
-		else if ( $encrypt_type!=="RC4" && $encrypt_type !== "AES" ) {
-			display_setup_form( '加密方式错误' );
-			$error = true;
-		}
-		else if ( !file_exists( $ipdata_path ) ) {
-			display_setup_form( 'ip数据库不存在' );
-			$error = true;
-		}
-		else if ( !preg_match( '/^[0-9]*$/' , $smtp_port ) ) {
-			display_setup_form( 'SMTP端口不合法' );
-			$error = true;
-		}
-		else
-		{
-			//生成密码hash
-			$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';
-			$pass=md5($salt.$pass.$salt);
-			$pass=md5($salt.$pass.$salt);
-			$pass=md5($salt.$pass.$salt);
-				
-			$config_str = <<<CONFIG
+        display_setup_form();
+        break;
+        
+    case 2: // 写入config.php
+        display_header();        
+        
+        //输入处理：使用stripStr过滤xss，使用json_encode生成最终string
+        $encrypt_enable = isset( $_POST['encrypt_enable'] ) ? true : false;
+        $keep_session_enable = isset( $_POST['keep_session_enable'] ) ? true : false;
+        $admin_ip_check_enable = isset( $_POST['admin_ip_check_enable'] ) ? true : false;
+        $xff_enable= isset( $_POST['xff_enable'] ) ? true : false;
+        $mail_enable = isset( $_POST['mail_enable'] ) ? true : false;
+        
+        $pass = isset( $_POST['pass'] ) ? stripStr($_POST['pass']) : '';
+        $encrypt_pass = isset( $_POST['encrypt_pass'] ) ? stripStr($_POST['encrypt_pass']) : '';
+        $mail_pass = isset( $_POST['mail_pass'] ) ? stripStr($_POST['mail_pass']) : '';
+        
+        $data_path = isset($_POST['data_path']) ? stripStr(trim( $_POST['data_path'] )) : '';
+        $js_template_path = isset( $_POST['js_template_path'] ) ? stripStr(trim( $_POST['js_template_path'] )) : '';
+        $my_js_path = isset( $_POST['my_js_path'] ) ? stripStr(trim( $_POST['my_js_path'] )) : '';
+        $encrypt_type = isset( $_POST['encrypt_type'] ) ? stripStr(trim( $_POST['encrypt_type'] )) : '';        
+        $ipdata_path = isset( $_POST['ipdata_path'] ) ? stripStr(trim( $_POST['ipdata_path'] )) : '';    
+        $smtp_server = isset( $_POST['smtp_server'] ) ? stripStr(trim( $_POST['smtp_server'] )) : '';
+        $smtp_port = isset( $_POST['smtp_port'] ) ? stripStr(trim( $_POST['smtp_port'] )) : '';
+        $smtp_secure = isset( $_POST['smtp_secure'] ) ? stripStr(trim( $_POST['smtp_secure'] )) : '';
+        $mail_user = isset( $_POST['mail_user'] ) ? stripStr(trim( $_POST['mail_user'] )) : '';
+        $mail_from = isset( $_POST['mail_from'] ) ? stripStr(trim( $_POST['mail_from'] )) : '';
+        $mail_recv = isset( $_POST['mail_recv'] ) ? stripStr(trim( $_POST['mail_recv'] )) : '';
+    
+        $error = false;
+            
+        if ( $pass==='' ) {
+            display_setup_form( '登录密码不可为空' );
+            $error = true;
+        }
+        else if ( !preg_match( '/^[0-9a-zA-Z_\/\\\.]+$/' , $data_path ) ) {
+            display_setup_form( 'xss数据存储路径非法' );
+            $error = true;
+        }
+        else if ( !is_dir ( $data_path ) ) {
+            
+            display_setup_form( 'xss数据存储路径不存在' );
+            $error = true;
+        }
+        else if ( !is_writable ( $data_path ) ) {
+            display_setup_form( 'xss数据存储路径不可写' );
+            $error = true;
+        }
+        else if ( glob($js_template_path.'/*')=== glob('static/js'.'/*') ) {
+            display_setup_form( 'js模板存储路径非法' );
+            $error = true;
+        }
+        else if ( !preg_match( '/^[0-9a-zA-Z_\/\\\.]+$/' , $js_template_path ) ) {
+            display_setup_form( 'js模板存储路径非法' );
+            $error = true;
+        }
+        else if ( !is_dir ( $js_template_path ) ) {
+            display_setup_form( 'js模板存储路径不存在' );
+            $error = true;
+        }
+        else if ( !is_writable ( $js_template_path ) ) {
+            display_setup_form( 'js模板存储路径不可写' );
+            $error = true;
+        }
+        else if ( glob($my_js_path.'/*')=== glob('static/js'.'/*') ) {
+            display_setup_form( '我的js存储路径非法' );
+            $error = true;
+        }
+        else if ( !preg_match( '/^[0-9a-zA-Z_\/\\\.]+$/' , $my_js_path ) ) {
+            display_setup_form( '我的js存储路径非法' );
+            $error = true;
+        }
+        else if ( !is_dir ( $my_js_path ) ) {
+            display_setup_form( '我的js存储路径不存在' );
+            $error = true;
+        }
+        else if ( !is_writable ( $my_js_path ) ) {
+            display_setup_form( '我的js存储路径不可写' );
+            $error = true;
+        }
+        else if ( $encrypt_enable && $encrypt_pass==='' ) {
+            display_setup_form( '加密密码不可为空' );
+            $error = true;
+        }
+        else if ( $encrypt_type!=="RC4" && $encrypt_type !== "AES" ) {
+            display_setup_form( '加密方式错误' );
+            $error = true;
+        }
+        else if ( !file_exists( $ipdata_path ) ) {
+            display_setup_form( 'ip数据库不存在' );
+            $error = true;
+        }
+        else if ( !preg_match( '/^[0-9]*$/' , $smtp_port ) ) {
+            display_setup_form( 'SMTP端口不合法' );
+            $error = true;
+        }
+        else
+        {
+            //生成密码hash
+            $salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';
+            $pass=md5($salt.$pass.$salt);
+            $pass=md5($salt.$pass.$salt);
+            $pass=md5($salt.$pass.$salt);
+                
+            $config_str = <<<CONFIG
 <?php
 if(!defined('IN_XSS_PLATFORM')) {
-	exit('Access Denied');
+    exit('Access Denied');
 }
 
 CONFIG;
-			$config_str .= 'define("PASS", '.json_encode($pass).');//后台登录密码：默认密码bluelotus' . PHP_EOL;
-			//正则判断过，不做json_encode处理
-			$config_str .= 'define("DATA_PATH", "'.$data_path.'");//xss记录、封禁ip列表存放目录' . PHP_EOL;
-			$config_str .= 'define("JS_TEMPLATE_PATH", "'.$js_template_path.'");//js模板存放目录' . PHP_EOL;
-			$config_str .= 'define("MY_JS_PATH", "'.$my_js_path.'");//我的js存放目录' . PHP_EOL;
-			$config_str .= 'define("ENCRYPT_ENABLE", '.($encrypt_enable?"true":"false").');//是否加密“xss记录，封禁ip列表，js描述”' . PHP_EOL;
-			$config_str .= 'define("ENCRYPT_PASS", '.json_encode( $encrypt_pass).');//加密密码' . PHP_EOL;
-			$config_str .= 'define("ENCRYPT_TYPE", '.json_encode( $encrypt_type).');//加密方法（AES或RC4）' . PHP_EOL;
-			$config_str .= 'define("KEEP_SESSION", '.($keep_session_enable?"true":"false").');//是否启用KEEP_SESSION功能，需要外部定时访问keepsession.php' . PHP_EOL;
-			$config_str .= 'define("IPDATA_PATH", '.json_encode( $ipdata_path).');//ip归属地数据库地址' . PHP_EOL;
-			$config_str .= 'define("MAIL_ENABLE", '.($mail_enable?"true":"false").');//开启邮件通知' . PHP_EOL;
-			$config_str .= 'define("SMTP_SERVER", '.json_encode( $smtp_server).');//smtp服务器' . PHP_EOL;
-			//正则判断过，不做json_encode处理
-			$config_str .= 'define("SMTP_PORT", '.$smtp_port.');//端口' . PHP_EOL;
-			$config_str .= 'define("SMTP_SECURE", '.json_encode( $smtp_secure).');' . PHP_EOL;
-			$config_str .= 'define("MAIL_USER", '.json_encode( $mail_user).');//发件人用户名' . PHP_EOL;
-			$config_str .= 'define("MAIL_PASS", '.json_encode( $mail_pass).');//发件人密码' . PHP_EOL;
-			$config_str .= 'define("MAIL_FROM", '.json_encode( $mail_from).');//发件人地址（需真实，不可伪造）' . PHP_EOL;
-			$config_str .= 'define("MAIL_RECV", '.json_encode( $mail_recv).');//接收通知的邮件地址' . PHP_EOL;
-			
-			if (file_put_contents("config.php", $config_str)===false)
-			{
-				display_setup_form( '无法写入配置文件，请确保根目录有写权限' );
-				$error = true;
-			}
-		}
+            $config_str .= 'define("PASS", '.json_encode($pass).');//后台登录密码：默认密码bluelotus' . PHP_EOL;
+            //正则判断过，不做json_encode处理
+            $config_str .= 'define("DATA_PATH", "'.$data_path.'");//xss记录、封禁ip列表存放目录' . PHP_EOL;
+            $config_str .= 'define("JS_TEMPLATE_PATH", "'.$js_template_path.'");//js模板存放目录' . PHP_EOL;
+            $config_str .= 'define("MY_JS_PATH", "'.$my_js_path.'");//我的js存放目录' . PHP_EOL;
+            $config_str .= 'define("ENCRYPT_ENABLE", '.($encrypt_enable?"true":"false").');//是否加密“xss记录，封禁ip列表，js描述”' . PHP_EOL;
+            $config_str .= 'define("ENCRYPT_PASS", '.json_encode( $encrypt_pass).');//加密密码' . PHP_EOL;
+            $config_str .= 'define("ENCRYPT_TYPE", '.json_encode( $encrypt_type).');//加密方法（AES或RC4）' . PHP_EOL;
+            $config_str .= 'define("KEEP_SESSION", '.($keep_session_enable?"true":"false").');//是否启用KEEP_SESSION功能，需要外部定时访问keepsession.php' . PHP_EOL;    
+            $config_str .= 'define("ADMIN_IP_CHECK_ENABLE", '.($admin_ip_check_enable?"true":"false").');//是否启用管理员ip认证，启用后，当xss平台发现ip变化，将会踢出管理员要求重新登录，如果发现经常异常退出控制面板，请关闭此项认证' . PHP_EOL;
+            $config_str .= 'define("XFF_ENABLE", '.($xff_enable?"true":"false").');//是否使用HTTP_X_FORWARDED_FOR的地址来代替REMOTE_ADDR，当且仅当存在反代的情况下才须开启，开启须谨慎！' . PHP_EOL;
+            $config_str .= 'define("IPDATA_PATH", '.json_encode( $ipdata_path).');//ip归属地数据库地址' . PHP_EOL;
+            $config_str .= 'define("MAIL_ENABLE", '.($mail_enable?"true":"false").');//开启邮件通知' . PHP_EOL;
+            $config_str .= 'define("SMTP_SERVER", '.json_encode( $smtp_server).');//smtp服务器' . PHP_EOL;
+            //正则判断过，不做json_encode处理
+            $config_str .= 'define("SMTP_PORT", '.$smtp_port.');//端口' . PHP_EOL;
+            $config_str .= 'define("SMTP_SECURE", '.json_encode( $smtp_secure).');' . PHP_EOL;
+            $config_str .= 'define("MAIL_USER", '.json_encode( $mail_user).');//发件人用户名' . PHP_EOL;
+            $config_str .= 'define("MAIL_PASS", '.json_encode( $mail_pass).');//发件人密码' . PHP_EOL;
+            $config_str .= 'define("MAIL_FROM", '.json_encode( $mail_from).');//发件人地址（需真实，不可伪造）' . PHP_EOL;
+            $config_str .= 'define("MAIL_RECV", '.json_encode( $mail_recv).');//接收通知的邮件地址' . PHP_EOL;
+            
+            if (file_put_contents("config.php", $config_str)===false)
+            {
+                display_setup_form( '无法写入配置文件，请确保根目录有写权限' );
+                $error = true;
+            }
+        }
 
-		if ( $error === false ) {
-			
-			//重加密记录
-			modify_js_desc($my_js_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type);
-			modify_js_desc($js_template_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type);
-			
-			//安装完成，自杀
-			@unlink($_SERVER['SCRIPT_FILENAME']);
-			@unlink('config-sample.php');
-			
+        if ( $error === false ) {
+            
+            //重加密记录
+            modify_js_desc($my_js_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type);
+            modify_js_desc($js_template_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type);
+            
+            //安装完成，自杀
+            @unlink($_SERVER['SCRIPT_FILENAME']);
+            @unlink('config-sample.php');
+            
 ?>
 
 <h1>安装成功</h1>
@@ -191,8 +195,8 @@ CONFIG;
 
 <p class="step"><a href="login.php" class="button button-large">登录</a></p>
 <?php
-		}
-		break;
+        }
+        break;
 }
 
 
@@ -202,262 +206,281 @@ function display_header() {
 <!DOCTYPE html>
 <html>
 <head>
-	<meta name="viewport" content="width=device-width" />
-	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-	<meta name="robots" content="noindex,nofollow" />
-	<title>安装</title>
-	<link rel="stylesheet" href="static/css/install.min.css" type="text/css" />
+    <meta name="viewport" content="width=device-width" />
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta name="robots" content="noindex,nofollow" />
+    <title>安装</title>
+    <link rel="stylesheet" href="static/css/install.min.css" type="text/css" />
 </head>
 <body class="core-ui">
 <p id="logo">
-	<a href="1" tabindex="-1"></a>
+    <a href="1" tabindex="-1"></a>
 </p>
 <?php
 
 } // end display_header()
 
 function display_setup_form( $error = null ) {
-	
-	$encrypt_enable = isset( $_POST['encrypt_enable'] ) ? true : false;
-	$keep_session_enable = isset( $_POST['keep_session_enable'] ) ? true : false;
-	$mail_enable = isset( $_POST['mail_enable'] ) ? true : false;
-	
-	$pass = isset( $_POST['pass'] ) ? stripStr($_POST['pass']) : 'bluelotus';
-	$encrypt_pass = isset( $_POST['encrypt_pass'] ) ? stripStr($_POST['encrypt_pass']) : 'bluelotus';
-	$mail_pass = isset( $_POST['mail_pass'] ) ? stripStr($_POST['mail_pass']) : 'xxxxxx';
-	
-	$data_path = isset($_POST['data_path']) ? stripStr(trim( $_POST['data_path'] )) : 'data';
-	$js_template_path = isset( $_POST['js_template_path'] ) ? stripStr(trim( $_POST['js_template_path'] )) : 'template';
-	$my_js_path = isset( $_POST['my_js_path'] ) ? stripStr(trim( $_POST['my_js_path'] )) : 'myjs';
-	$encrypt_type = isset( $_POST['encrypt_type'] ) ? stripStr(trim( $_POST['encrypt_type'] )) : 'RC4';		
-	$ipdata_path = isset( $_POST['ipdata_path'] ) ? stripStr(trim( $_POST['ipdata_path'] )) : 'qqwry.dat';	
-	$smtp_server = isset( $_POST['smtp_server'] ) ? stripStr(trim( $_POST['smtp_server'] )) : 'smtp.xxx.com';
-	$smtp_port = isset( $_POST['smtp_port'] ) ? stripStr(trim( $_POST['smtp_port'] )) : '465';
-	$smtp_secure = isset( $_POST['smtp_secure'] ) ? stripStr(trim( $_POST['smtp_secure'] )) : 'ssl';
-	$mail_user = isset( $_POST['mail_user'] ) ? stripStr(trim( $_POST['mail_user'] )) : 'xxx@xxx.com';
-	$mail_from = isset( $_POST['mail_from'] ) ? stripStr(trim( $_POST['mail_from'] )) : 'xxx@xxx.com';
-	$mail_recv = isset( $_POST['mail_recv'] ) ? stripStr(trim( $_POST['mail_recv'] )) : 'xxx@xxx.com';
-	
-	if ( ! is_null( $error ) ) {
+    
+    $encrypt_enable = isset( $_POST['encrypt_enable'] ) ? true : false;
+    $keep_session_enable = isset( $_POST['keep_session_enable'] ) ? true : false;
+    $admin_ip_check_enable = isset( $_POST['admin_ip_check_enable'] ) ? true : false;
+    $xff_enable= isset( $_POST['xff_enable'] ) ? true : false;
+    $mail_enable = isset( $_POST['mail_enable'] ) ? true : false;
+    
+    $pass = isset( $_POST['pass'] ) ? stripStr($_POST['pass']) : 'bluelotus';
+    $encrypt_pass = isset( $_POST['encrypt_pass'] ) ? stripStr($_POST['encrypt_pass']) : 'bluelotus';
+    $mail_pass = isset( $_POST['mail_pass'] ) ? stripStr($_POST['mail_pass']) : 'xxxxxx';
+    
+    $data_path = isset($_POST['data_path']) ? stripStr(trim( $_POST['data_path'] )) : 'data';
+    $js_template_path = isset( $_POST['js_template_path'] ) ? stripStr(trim( $_POST['js_template_path'] )) : 'template';
+    $my_js_path = isset( $_POST['my_js_path'] ) ? stripStr(trim( $_POST['my_js_path'] )) : 'myjs';
+    $encrypt_type = isset( $_POST['encrypt_type'] ) ? stripStr(trim( $_POST['encrypt_type'] )) : 'RC4';        
+    $ipdata_path = isset( $_POST['ipdata_path'] ) ? stripStr(trim( $_POST['ipdata_path'] )) : 'qqwry.dat';    
+    $smtp_server = isset( $_POST['smtp_server'] ) ? stripStr(trim( $_POST['smtp_server'] )) : 'smtp.xxx.com';
+    $smtp_port = isset( $_POST['smtp_port'] ) ? stripStr(trim( $_POST['smtp_port'] )) : '465';
+    $smtp_secure = isset( $_POST['smtp_secure'] ) ? stripStr(trim( $_POST['smtp_secure'] )) : 'ssl';
+    $mail_user = isset( $_POST['mail_user'] ) ? stripStr(trim( $_POST['mail_user'] )) : 'xxx@xxx.com';
+    $mail_from = isset( $_POST['mail_from'] ) ? stripStr(trim( $_POST['mail_from'] )) : 'xxx@xxx.com';
+    $mail_recv = isset( $_POST['mail_recv'] ) ? stripStr(trim( $_POST['mail_recv'] )) : 'xxx@xxx.com';
+    
+    if ( ! is_null( $error ) ) {
 ?>
 <h1>错误</h1>
 <p class="message"><?php echo stripStr($error); ?></p>
 <?php
-	} 
+    } 
 ?>
 <form id="setup" method="post" action="install.php?step=2" novalidate="novalidate">
-	<table class="form-table">
-		<tr>
-			<th scope="row"><label for="pass">后台登录密码</label></th>
-			<td>
-				<input name="pass" type="text" id="pass" size="25" value="<?php echo $pass;?>" required="required"  />
-				<p>特殊字符会被转义，慎用，下同</p>
-			</td>
-		</tr>
-	
-		<tr>
-			<th scope="row"><label for="data_path">xss数据存储路径</label></th>
-			<td>
-				<input name="data_path" type="text" id="data_path" size="25" value="<?php echo $data_path; ?>" required="required" />
-				<p>文件夹需要有写权限</p>
-			</td>
-		</tr>
-		
-		<tr>
-			<th scope="row"><label for="js_template_path">js模板存储路径</label></th>
-			<td>
-				<input name="js_template_path" type="text" id="js_template_path" size="25" value="<?php echo $js_template_path;?>" required="required" />
-				<p>文件夹需要有写权限</p>
-			</td>
-		</tr>
-		
-		<tr>
-			<th scope="row"><label for="my_js_path">我的js存储路径</label></th>
-			<td>
-				<input name="my_js_path" type="text" id="my_js_path" size="25" value="<?php echo $my_js_path;?>" required="required" />
-				<p>文件夹需要有写权限</p>
-			</td>
-		</tr>
-		
-		<tr>
-			<th scope="row"><label for="encrypt_enable">启用数据加密</label></th>
-			<td>
-				<input type="checkbox" name="encrypt_enable" type="text" id="encrypt_enable" size="25" value="1" <?php if( !isset( $_POST['encrypt_enable'] ) || $encrypt_enable===true ) echo 'checked="checked"';?> />
-				<p>对xss记录，js描述文件加密</p>
-			</td>
-		</tr>	
-	
-		<tr>
-			<th scope="row"><label for="encrypt_pass">数据加密密码</label></th>
-			<td>
-				<input name="encrypt_pass" type="text" id="encrypt_pass" size="25" value="<?php echo $encrypt_pass;?>" />
-				<p>加密数据的密码</p>
-			</td>
-		</tr>
-		
-		<tr>
-			<th scope="row"><label for="encrypt_type">加密方式</label></th>
-			<td>
-				
-				
-				<select name="encrypt_type" type="text" id="encrypt_type" size="1">
-					<option value ="RC4" <?php if($encrypt_type==="RC4") echo 'selected="selected"';?> >RC4</option>
-					<option value ="AES" <?php if($encrypt_type!=="RC4") echo 'selected="selected"';?> >AES</option>
-				</select>
-				
-			</td>
-		</tr>
+    <table class="form-table">
+        <tr>
+            <th scope="row"><label for="pass">后台登录密码</label></th>
+            <td>
+                <input name="pass" type="text" id="pass" size="25" value="<?php echo $pass;?>" required="required"  />
+                <p>特殊字符会被转义，慎用，下同</p>
+            </td>
+        </tr>
+    
+        <tr>
+            <th scope="row"><label for="data_path">xss数据存储路径</label></th>
+            <td>
+                <input name="data_path" type="text" id="data_path" size="25" value="<?php echo $data_path; ?>" required="required" />
+                <p>文件夹需要有写权限</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="js_template_path">js模板存储路径</label></th>
+            <td>
+                <input name="js_template_path" type="text" id="js_template_path" size="25" value="<?php echo $js_template_path;?>" required="required" />
+                <p>文件夹需要有写权限</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="my_js_path">我的js存储路径</label></th>
+            <td>
+                <input name="my_js_path" type="text" id="my_js_path" size="25" value="<?php echo $my_js_path;?>" required="required" />
+                <p>文件夹需要有写权限</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="encrypt_enable">启用数据加密</label></th>
+            <td>
+                <input type="checkbox" name="encrypt_enable" type="text" id="encrypt_enable" size="25" value="1" <?php if( !isset( $_POST['pass'] ) || $encrypt_enable===true ) echo 'checked="checked"';?> />
+                <p>对xss记录，js描述文件加密</p>
+            </td>
+        </tr>    
+    
+        <tr>
+            <th scope="row"><label for="encrypt_pass">数据加密密码</label></th>
+            <td>
+                <input name="encrypt_pass" type="text" id="encrypt_pass" size="25" value="<?php echo $encrypt_pass;?>" />
+                <p>加密数据的密码</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="encrypt_type">加密方式</label></th>
+            <td>
+                
+                
+                <select name="encrypt_type" type="text" id="encrypt_type" size="1">
+                    <option value ="RC4" <?php if($encrypt_type==="RC4") echo 'selected="selected"';?> >RC4</option>
+                    <option value ="AES" <?php if($encrypt_type!=="RC4") echo 'selected="selected"';?> >AES</option>
+                </select>
+                
+            </td>
+        </tr>
 
-		<tr>
-			<th scope="row"><label for="keep_session_enable">启用keepsession</label></th>
-			<td>
-				<input type="checkbox" name="keep_session_enable" type="text" id="keep_session_enable" size="25" value="1" <?php if(!isset( $_POST['keep_session_enable'] ) || $keep_session_enable===true) echo 'checked="checked"';?> />
-				
-				<p>详见README.md说明</p>
-			</td>
-		</tr>
-		
-		<tr>
-			<th scope="row"><label for="ipdata_path">ip数据库位置</label></th>
-			<td>
-				<input name="ipdata_path" type="text" id="ipdata_path" size="25" value="<?php echo $ipdata_path;?>" required="required" />
-				<p>纯真qqwry.dat位置</p>
-			</td>
-		</tr>
-		
-		<tr>
-			<th scope="row"><label for="mail_enable">启用邮件通知</label></th>
-			<td>
-				<input type="checkbox" name="mail_enable" type="text" id="mail_enable" size="25" value="1" <?php if($mail_enable===true) echo 'checked="checked"';?> />
-				<p>收到xss消息后邮件通知</p>
-			</td>
-		</tr>
-	
-		<tr>
-			<th scope="row"><label for="smtp_server">SMTP服务器</label></th>
-			<td>
-				<input name="smtp_server" type="text" id="smtp_server" size="25" value="<?php echo $smtp_server;?>" />
-				<p>SMTP服务器地址</p>
-			</td>
-		</tr>
-		
-		<tr>
-			<th scope="row"><label for="smtp_port">SMTP服务器端口</label></th>
-			<td>
-				<input name="smtp_port" type="text" id="smtp_port" size="25" value="<?php echo $smtp_port;?>" />
-				<p>详询服务提供商</p>
-			</td>
-		</tr>
-		
-		<tr>
-			<th scope="row"><label for="smtp_secure">SMTP安全项</label></th>
-			<td>
-				<input name="smtp_secure" type="text" id="smtp_secure" size="25" value="<?php echo $smtp_secure;?>" />
-				<p>默认无需修改</p>
-			</td>
-		</tr>
-		
-		<tr>
-			<th scope="row"><label for="mail_user">SMTP用户名</label></th>
-			<td>
-				<input name="mail_user" type="text" id="mail_user" size="25" value="<?php echo $mail_user;?>" />
-				<p>一般只是邮箱@之前的部分</p>
-			</td>
-		</tr>
-	
-		<tr>
-			<th scope="row"><label for="mail_pass">SMTP密码</label></th>
-			<td>
-				<input name="mail_pass" type="text" id="mail_pass" size="25" value="<?php echo $mail_pass;?>" />
-				<p>发件邮箱的密码</p>
-			</td>
-		</tr>
-	
-		<tr>
-			<th scope="row"><label for="mail_from">发件人地址</label></th>
-			<td>
-				<input name="mail_from" type="text" id="mail_from" size="25" value="<?php echo $mail_from;?>" />
-				<p>不可伪造，否者无法发送</p>
-			</td>
-		</tr>
-		<tr>
-			<th scope="row"><label for="mail_recv">收件人地址</label></th>
-			<td>
-				<input name="mail_recv" type="text" id="mail_recv" size="25" value="<?php echo $mail_recv;?>" />
-				<p>接收通知的邮件地址</p>
-			</td>
-		</tr>
-		
-	</table>
-	<p class="step"><input name="submit" type="submit" value="提交" class="button button-large"></p>
-	
+        <tr>
+            <th scope="row"><label for="keep_session_enable">启用keepsession</label></th>
+            <td>
+                <input type="checkbox" name="keep_session_enable" type="text" id="keep_session_enable" size="25" value="1" <?php if(!isset( $_POST['pass'] ) || $keep_session_enable===true) echo 'checked="checked"';?> />
+                
+                <p>详见README.md说明</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="admin_ip_check_enable">启用管理员IP校验</label></th>
+            <td>
+                <input type="checkbox" name="admin_ip_check_enable" type="text" id="admin_ip_check_enable" size="25" value="1" <?php if(!isset( $_POST['pass'] ) || $admin_ip_check_enable===true) echo 'checked="checked"';?> />
+                
+                <p>详见README.md说明</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="xff_enable">使用XFF识别源ip</label></th>
+            <td>
+                <input type="checkbox" name="xff_enable" type="text" id="xff_enable" size="25" value="1" <?php if($xff_enable===true) echo 'checked="checked"';?> />
+                <p>仅在存在反代的情况下开启</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="ipdata_path">ip数据库位置</label></th>
+            <td>
+                <input name="ipdata_path" type="text" id="ipdata_path" size="25" value="<?php echo $ipdata_path;?>" required="required" />
+                <p>纯真qqwry.dat位置</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="mail_enable">启用邮件通知</label></th>
+            <td>
+                <input type="checkbox" name="mail_enable" type="text" id="mail_enable" size="25" value="1" <?php if($mail_enable===true) echo 'checked="checked"';?> />
+                <p>收到xss消息后邮件通知</p>
+            </td>
+        </tr>
+    
+        <tr>
+            <th scope="row"><label for="smtp_server">SMTP服务器</label></th>
+            <td>
+                <input name="smtp_server" type="text" id="smtp_server" size="25" value="<?php echo $smtp_server;?>" />
+                <p>SMTP服务器地址</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="smtp_port">SMTP服务器端口</label></th>
+            <td>
+                <input name="smtp_port" type="text" id="smtp_port" size="25" value="<?php echo $smtp_port;?>" />
+                <p>详询服务提供商</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="smtp_secure">SMTP安全项</label></th>
+            <td>
+                <input name="smtp_secure" type="text" id="smtp_secure" size="25" value="<?php echo $smtp_secure;?>" />
+                <p>默认无需修改</p>
+            </td>
+        </tr>
+        
+        <tr>
+            <th scope="row"><label for="mail_user">SMTP用户名</label></th>
+            <td>
+                <input name="mail_user" type="text" id="mail_user" size="25" value="<?php echo $mail_user;?>" />
+                <p>一般只是邮箱@之前的部分</p>
+            </td>
+        </tr>
+    
+        <tr>
+            <th scope="row"><label for="mail_pass">SMTP密码</label></th>
+            <td>
+                <input name="mail_pass" type="text" id="mail_pass" size="25" value="<?php echo $mail_pass;?>" />
+                <p>发件邮箱的密码</p>
+            </td>
+        </tr>
+    
+        <tr>
+            <th scope="row"><label for="mail_from">发件人地址</label></th>
+            <td>
+                <input name="mail_from" type="text" id="mail_from" size="25" value="<?php echo $mail_from;?>" />
+                <p>不可伪造，否者无法发送</p>
+            </td>
+        </tr>
+        <tr>
+            <th scope="row"><label for="mail_recv">收件人地址</label></th>
+            <td>
+                <input name="mail_recv" type="text" id="mail_recv" size="25" value="<?php echo $mail_recv;?>" />
+                <p>接收通知的邮件地址</p>
+            </td>
+        </tr>
+        
+    </table>
+    <p class="step"><input name="submit" type="submit" value="提交" class="button button-large"></p>
+    
 </form>
 <?php
 } // end display_setup_form()
 
 //xss过滤
 function stripStr($str) {
-	if(get_magic_quotes_gpc())
-		$str=stripslashes($str);
-	return htmlspecialchars($str,ENT_QUOTES,'UTF-8');
+    if(get_magic_quotes_gpc())
+        $str=stripslashes($str);
+    return htmlspecialchars($str,ENT_QUOTES,'UTF-8');
 }
 
 //js描述重加密
 function modify_js_desc($path,$old_encrypt_enable,$old_encrypt_pass,$old_encrypt_type,$new_encrypt_enable,$new_encrypt_pass, $new_encrypt_type) {
-	$files = glob($path . '/*.js');
-	foreach ($files as $file){
-		//由于可能有中文名,故使用正则来提取文件名
-		$filename=preg_replace('/^.+[\\\\\\/]/', '', $file);
-		$filename=substr ( $filename , 0 , strlen ($filename)-3 );
-			
-		$desc=@file_get_contents(dirname( __FILE__ ).'/'.$path.'/'.$filename.'.desc');
+    $files = glob($path . '/*.js');
+    foreach ($files as $file){
+        //由于可能有中文名,故使用正则来提取文件名
+        $filename=preg_replace('/^.+[\\\\\\/]/', '', $file);
+        $filename=substr ( $filename , 0 , strlen ($filename)-3 );
+            
+        $desc=@file_get_contents(dirname( __FILE__ ).'/'.$path.'/'.$filename.'.desc');
 
-		if($desc!==false)
-			$desc=decrypt($desc,$old_encrypt_enable,$old_encrypt_pass,$old_encrypt_type);
-		else
-			$desc="";
+        if($desc!==false)
+            $desc=decrypt($desc,$old_encrypt_enable,$old_encrypt_pass,$old_encrypt_type);
+        else
+            $desc="";
 
-		$desc=encrypt($desc, $new_encrypt_enable, $new_encrypt_pass, $new_encrypt_type);
-	
-		@file_put_contents(dirname( __FILE__ ).'/'.$path.'/'.$filename.'.desc', $desc);
-		
-	}		
+        $desc=encrypt($desc, $new_encrypt_enable, $new_encrypt_pass, $new_encrypt_type);
+    
+        @file_put_contents(dirname( __FILE__ ).'/'.$path.'/'.$filename.'.desc', $desc);
+        
+    }        
 }
 
 //加密
 function encrypt($info,$encrypt_enable,$encrypt_pass,$encrypt_type) {
-	if($encrypt_enable) {
-		if($encrypt_type==="AES") {
-			require_once("aes.php");
-			$info=AESEncryptCtr($info,$encrypt_pass);
-		}
-		else {
-			require_once("rc4.php");
-			$info=base64_encode( rc4($info,$encrypt_pass) );
-		}	
-	}
-	else
-		$info=base64_encode($info);
-	
-	return $info;
+    if($encrypt_enable) {
+        if($encrypt_type==="AES") {
+            require_once("aes.php");
+            $info=AESEncryptCtr($info,$encrypt_pass);
+        }
+        else {
+            require_once("rc4.php");
+            $info=base64_encode( rc4($info,$encrypt_pass) );
+        }    
+    }
+    else
+        $info=base64_encode($info);
+    
+    return $info;
 }
 
 //解密
 function decrypt($info,$encrypt_enable,$encrypt_pass,$encrypt_type) {
-	if($encrypt_enable) {
-		if($encrypt_type==="AES") {
-			require_once("aes.php");
-			$info=AESDecryptCtr($info,$encrypt_pass);
-			
-		}
-		else {
-			require_once("rc4.php");
-			$info=rc4(base64_decode($info),$encrypt_pass);
-		}
-	}
-	else
-		$info=base64_decode($info);
-	return $info;
+    if($encrypt_enable) {
+        if($encrypt_type==="AES") {
+            require_once("aes.php");
+            $info=AESDecryptCtr($info,$encrypt_pass);
+            
+        }
+        else {
+            require_once("rc4.php");
+            $info=rc4(base64_decode($info),$encrypt_pass);
+        }
+    }
+    else
+        $info=base64_decode($info);
+    return $info;
 }
 
 ?> 
\ No newline at end of file
diff --git a/login.php b/login.php
index d679603..b32920c 100644
--- a/login.php
+++ b/login.php
@@ -1,7 +1,6 @@
 <?php
 define("IN_XSS_PLATFORM", true);
 
-require_once("load.php");
 require_once("functions.php");
 require_once("dio.php");
 
@@ -23,7 +22,7 @@ if (isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true) {
 
 //判断ip是否在封禁列表中
 $forbiddenIPList = loadForbiddenIPList();
-$ip              = $_SERVER['REMOTE_ADDR'];
+$ip              = getRealIP();
 $is_pass_wrong   = false;
 if (!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip] <= 5) {
     if (isset($_POST['password']) && $_POST['password'] != "") {
diff --git a/src/css/install.css b/src/css/install.css
index dd76b05..9c29cfb 100644
--- a/src/css/install.css
+++ b/src/css/install.css
@@ -284,7 +284,7 @@ body.rtl,
 
 }
 
-#encrypt_enable, #keep_session_enable, #mail_enable {
+#encrypt_enable, #keep_session_enable, #mail_enable, #xff_enable, #admin_ip_check_enable{
 	margin-right: 200px;
 }
 
diff --git a/static/css/install.min.css b/static/css/install.min.css
index 2ffaf83..c42cc11 100644
--- a/static/css/install.min.css
+++ b/static/css/install.min.css
@@ -1 +1 @@
-html{background:#222526;margin:0 20px}body{background:#fff;color:#444;font-family:'Microsoft YaHei',"Open Sans",sans-serif;margin:190px auto 25px;padding:20px 20px 10px 20px;max-width:600px;-webkit-font-smoothing:subpixel-antialiased;-webkit-box-shadow:0 1px 3px rgba(0,0,0,0.13);box-shadow:0 1px 3px rgba(0,0,0,0.13)}a{color:#0073aa}a:hover,a:active{color:#00a0d2}a:focus{color:#124964;-webkit-box-shadow:0 0 0 1px #5b9dd9,0 0 2px 1px rgba(30,140,190,.8);box-shadow:0 0 0 1px #5b9dd9,0 0 2px 1px rgba(30,140,190,.8)}.ie8 a:focus{outline:#5b9dd9 solid 1px}h1,h2{border-bottom:1px solid #dedede;clear:both;color:#666;font-size:24px;padding:0;padding-bottom:7px;font-weight:normal}h3{font-size:16px}p,li,dd,dt{padding-bottom:2px;font-size:14px;line-height:1.5}code,.code{font-family:'Microsoft YaHei',Consolas,Monaco,monospace}ul,ol,dl{padding:5px 5px 5px 22px}a img{border:0}abbr{border:0;font-variant:normal}fieldset{border:0;padding:0;margin:0}label{cursor:pointer}#logo{margin:-170px 0 37px 0;padding:0 0 7px 0;border-bottom:0;text-align:center}#logo a{background-image:url(../images/logo.png);-webkit-background-size:180px;background-size:180px;background-position:center top;background-repeat:no-repeat;color:#999;height:180px;width:300px;font-size:20px;font-weight:normal;line-height:1.3em;margin:-110px auto -50px;padding:0;text-decoration:none;text-indent:-9999px;outline:0;overflow:hidden;display:block}#logo a:focus{-webkit-box-shadow:none;box-shadow:none}.step{margin:20px 0 15px}.step,th{text-align:left;padding:0}.form-table{border-collapse:collapse;margin-top:1em;width:100%}.form-table td{margin-bottom:9px;padding:10px 20px 10px 0;font-size:14px;vertical-align:top}.form-table th{font-size:14px;text-align:left;padding:10px 20px 10px 0;width:140px;vertical-align:top}.form-table code{line-height:18px;font-size:14px}.form-table p{margin:4px 0 0 0;font-size:11px;display:inline}.form-table input{line-height:20px;font-size:15px;padding:3px 5px;border:1px solid #ddd;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.07);box-shadow:inset 0 1px 2px rgba(0,0,0,0.07)}input,submit{font-family:'Microsoft YaHei',"Open Sans",sans-serif}.form-table input[type=text],.form-table input[type=email],.form-table input[type=url],.form-table input[type=password]{width:206px}.form-table th p{font-weight:normal}.form-table.install-success th,.form-table.install-success td{vertical-align:middle;padding:16px 20px 16px 0}.form-table.install-success td p{margin:0;font-size:14px}.form-table.install-success td code{margin:0;font-size:18px}.message{border:1px solid #c00;padding:.5em .7em;margin:5px 0 15px;background-color:#ffebe8}.form-table span.description.important{font-size:12px}body.rtl,.rtl textarea,.rtl input,.rtl submit{font-family:'Microsoft YaHei',Tahoma,sans-serif}:lang(he-il) body.rtl,:lang(he-il) .rtl textarea,:lang(he-il) .rtl input,:lang(he-il) .rtl submit{font-family:'Microsoft YaHei',Arial,sans-serif}@media only screen and (max-width:799px){body{margin-top:115px}#logo a{margin:-125px auto 30px}}@media screen and (max-width:782px){.form-table{margin-top:0}.form-table th,.form-table td{display:block;width:auto;vertical-align:middle}.form-table th{padding:20px 0 0}.form-table td{padding:5px 0;border:0;margin:0}textarea,input{font-size:16px}.form-table td input[type="text"],.form-table td input[type="email"],.form-table td input[type="url"],.form-table td input[type="password"],.form-table td select,.form-table td textarea,.form-table span.description{width:100%;font-size:16px;line-height:1.5;padding:7px 10px;display:block;max-width:none;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}}#encrypt_enable,#keep_session_enable,#mail_enable{margin-right:200px}.core-ui .button{color:#555;border-color:#ccc;background:#f7f7f7;-webkit-box-shadow:0 1px 0 #ccc;box-shadow:0 1px 0 #ccc;vertical-align:top;display:inline-block;text-decoration:none;font-size:13px;line-height:26px;height:28px;margin:0;padding:0 10px 1px;cursor:pointer;border-width:1px;border-style:solid;-webkit-appearance:none;-webkit-border-radius:3px;border-radius:3px;white-space:nowrap;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}
\ No newline at end of file
+html{background:#222526;margin:0 20px}body{background:#fff;color:#444;font-family:'Microsoft YaHei',"Open Sans",sans-serif;margin:190px auto 25px;padding:20px 20px 10px 20px;max-width:600px;-webkit-font-smoothing:subpixel-antialiased;-webkit-box-shadow:0 1px 3px rgba(0,0,0,0.13);box-shadow:0 1px 3px rgba(0,0,0,0.13)}a{color:#0073aa}a:hover,a:active{color:#00a0d2}a:focus{color:#124964;-webkit-box-shadow:0 0 0 1px #5b9dd9,0 0 2px 1px rgba(30,140,190,.8);box-shadow:0 0 0 1px #5b9dd9,0 0 2px 1px rgba(30,140,190,.8)}.ie8 a:focus{outline:#5b9dd9 solid 1px}h1,h2{border-bottom:1px solid #dedede;clear:both;color:#666;font-size:24px;padding:0;padding-bottom:7px;font-weight:normal}h3{font-size:16px}p,li,dd,dt{padding-bottom:2px;font-size:14px;line-height:1.5}code,.code{font-family:'Microsoft YaHei',Consolas,Monaco,monospace}ul,ol,dl{padding:5px 5px 5px 22px}a img{border:0}abbr{border:0;font-variant:normal}fieldset{border:0;padding:0;margin:0}label{cursor:pointer}#logo{margin:-170px 0 37px 0;padding:0 0 7px 0;border-bottom:0;text-align:center}#logo a{background-image:url(../images/logo.png);-webkit-background-size:180px;background-size:180px;background-position:center top;background-repeat:no-repeat;color:#999;height:180px;width:300px;font-size:20px;font-weight:normal;line-height:1.3em;margin:-110px auto -50px;padding:0;text-decoration:none;text-indent:-9999px;outline:0;overflow:hidden;display:block}#logo a:focus{-webkit-box-shadow:none;box-shadow:none}.step{margin:20px 0 15px}.step,th{text-align:left;padding:0}.form-table{border-collapse:collapse;margin-top:1em;width:100%}.form-table td{margin-bottom:9px;padding:10px 20px 10px 0;font-size:14px;vertical-align:top}.form-table th{font-size:14px;text-align:left;padding:10px 20px 10px 0;width:140px;vertical-align:top}.form-table code{line-height:18px;font-size:14px}.form-table p{margin:4px 0 0 0;font-size:11px;display:inline}.form-table input{line-height:20px;font-size:15px;padding:3px 5px;border:1px solid #ddd;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.07);box-shadow:inset 0 1px 2px rgba(0,0,0,0.07)}input,submit{font-family:'Microsoft YaHei',"Open Sans",sans-serif}.form-table input[type=text],.form-table input[type=email],.form-table input[type=url],.form-table input[type=password]{width:206px}.form-table th p{font-weight:normal}.form-table.install-success th,.form-table.install-success td{vertical-align:middle;padding:16px 20px 16px 0}.form-table.install-success td p{margin:0;font-size:14px}.form-table.install-success td code{margin:0;font-size:18px}.message{border:1px solid #c00;padding:.5em .7em;margin:5px 0 15px;background-color:#ffebe8}.form-table span.description.important{font-size:12px}body.rtl,.rtl textarea,.rtl input,.rtl submit{font-family:'Microsoft YaHei',Tahoma,sans-serif}:lang(he-il) body.rtl,:lang(he-il) .rtl textarea,:lang(he-il) .rtl input,:lang(he-il) .rtl submit{font-family:'Microsoft YaHei',Arial,sans-serif}@media only screen and (max-width:799px){body{margin-top:115px}#logo a{margin:-125px auto 30px}}@media screen and (max-width:782px){.form-table{margin-top:0}.form-table th,.form-table td{display:block;width:auto;vertical-align:middle}.form-table th{padding:20px 0 0}.form-table td{padding:5px 0;border:0;margin:0}textarea,input{font-size:16px}.form-table td input[type="text"],.form-table td input[type="email"],.form-table td input[type="url"],.form-table td input[type="password"],.form-table td select,.form-table td textarea,.form-table span.description{width:100%;font-size:16px;line-height:1.5;padding:7px 10px;display:block;max-width:none;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}}#encrypt_enable,#keep_session_enable,#mail_enable,#xff_enable,#admin_ip_check_enable{margin-right:200px}.core-ui .button{color:#555;border-color:#ccc;background:#f7f7f7;-webkit-box-shadow:0 1px 0 #ccc;box-shadow:0 1px 0 #ccc;vertical-align:top;display:inline-block;text-decoration:none;font-size:13px;line-height:26px;height:28px;margin:0;padding:0 10px 1px;cursor:pointer;border-width:1px;border-style:solid;-webkit-appearance:none;-webkit-border-radius:3px;border-radius:3px;white-space:nowrap;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}
\ No newline at end of file

后台登录密码	- - 特殊字符会被转义，慎用，下同 -
xss数据存储路径	- - 文件夹需要有写权限 -
js模板存储路径	- - 文件夹需要有写权限 -
我的js存储路径	- - 文件夹需要有写权限 -
启用数据加密	- /> - 对xss记录，js描述文件加密 -
数据加密密码	- - 加密数据的密码 -
加密方式	- - - - -
后台登录密码	+ + 特殊字符会被转义，慎用，下同 +
xss数据存储路径	+ + 文件夹需要有写权限 +
js模板存储路径	+ + 文件夹需要有写权限 +
我的js存储路径	+ + 文件夹需要有写权限 +
启用数据加密	+ /> + 对xss记录，js描述文件加密 +
数据加密密码	+ + 加密数据的密码 +
加密方式	+ + + + +
启用keepsession	- /> - - 详见README.md说明 -
ip数据库位置	- - 纯真qqwry.dat位置 -
启用邮件通知	- /> - 收到xss消息后邮件通知 -
SMTP服务器	- - SMTP服务器地址 -
SMTP服务器端口	- - 详询服务提供商 -
SMTP安全项	- - 默认无需修改 -
SMTP用户名	- - 一般只是邮箱@之前的部分 -
SMTP密码	- - 发件邮箱的密码 -
发件人地址	- - 不可伪造，否者无法发送 -
收件人地址	- - 接收通知的邮件地址 -