mirror of
https://github.com/bs-community/blessing-skin-server.git
synced 2024-12-15 06:09:58 +08:00
rewrited implementation of showing msg to prevent XSS attack, close #14
This commit is contained in:
printempw
parent
a0c97985cd
commit
faa99d43eb
@ -3,10 +3,10 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-03-19 21:00:58
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-03 20:58:33
|
||||
* @Last Modified time: 2016-05-12 21:53:48
|
||||
*/
|
||||
require "../libraries/session.inc.php";
|
||||
if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
|
||||
if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
|
||||
View::show('admin/header', array('page_title' => "添加用户"));
|
||||
$db = new Database\Database('users');
|
||||
?>
|
||||
|
||||
@ -3,12 +3,12 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-02-04 13:53:55
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-03 08:26:15
|
||||
* @Last Modified time: 2016-05-12 21:53:48
|
||||
*/
|
||||
require "../libraries/session.inc.php";
|
||||
|
||||
// Check token, won't allow non-admin user to access
|
||||
if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
|
||||
if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
|
||||
|
||||
/*
|
||||
* No protection here,
|
||||
|
||||
@ -3,10 +3,10 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-03-19 14:34:21
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-03 20:58:26
|
||||
* @Last Modified time: 2016-05-12 21:53:48
|
||||
*/
|
||||
require "../libraries/session.inc.php";
|
||||
if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
|
||||
if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
|
||||
$data['style'] = <<< 'EOT'
|
||||
<link rel="stylesheet" href="../assets/libs/AdminLTE/dist/css/skins/_all-skins.min.css">
|
||||
<style>
|
||||
|
||||
@ -3,10 +3,10 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-02-03 14:39:50
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-03 20:58:22
|
||||
* @Last Modified time: 2016-05-12 21:53:49
|
||||
*/
|
||||
require "../libraries/session.inc.php";
|
||||
if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
|
||||
if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
|
||||
View::show('admin/header', array('page_title' => "仪表盘"));
|
||||
$db = new Database\Database('users');
|
||||
?>
|
||||
|
||||
@ -3,10 +3,10 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-03-06 14:19:20
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-03 20:58:13
|
||||
* @Last Modified time: 2016-05-12 21:53:49
|
||||
*/
|
||||
require "../libraries/session.inc.php";
|
||||
if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
|
||||
if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
|
||||
View::show('admin/header', array('page_title' => "用户管理"));
|
||||
$db = new Database\Database('users');
|
||||
|
||||
|
||||
@ -3,10 +3,10 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-03-18 22:50:25
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-04 08:36:45
|
||||
* @Last Modified time: 2016-05-12 21:53:49
|
||||
*/
|
||||
require "../libraries/session.inc.php";
|
||||
if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
|
||||
if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
|
||||
View::show('admin/header', array('page_title' => "站点配置"));
|
||||
$db = new Database\Database('users');
|
||||
?>
|
||||
|
||||
@ -3,10 +3,10 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-03-27 15:03:40
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-03 21:05:51
|
||||
* @Last Modified time: 2016-05-12 21:53:49
|
||||
*/
|
||||
require "../libraries/session.inc.php";
|
||||
if (!$user->is_admin) Utils::redirect('../index.php?msg=看起来你并不是管理员');
|
||||
if (!$user->is_admin) Utils::redirect('../index.php', '看起来你并不是管理员');
|
||||
$action = isset($_GET['action']) ? $_GET['action'] : "";
|
||||
|
||||
$updater = new Updater(Option::get('current_version'));
|
||||
|
||||
10
index.php
10
index.php
@ -3,7 +3,7 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-01-17 13:55:20
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-11 17:01:15
|
||||
* @Last Modified time: 2016-05-12 21:57:53
|
||||
*/
|
||||
session_start();
|
||||
$dir = dirname(__FILE__);
|
||||
@ -139,8 +139,10 @@ if (isset($_COOKIE['uname']) && isset($_COOKIE['token'])) {
|
||||
<script type="text/javascript" src="./assets/js/index.utils.js"></script>
|
||||
<script><?php echo Option::get('custom_js'); ?></script>
|
||||
|
||||
<?php if (isset($_GET['msg'])): ?>
|
||||
<script type="text/javascript"> showAlert("<?php echo $_GET['msg']; ?>"); </script>
|
||||
<?php endif; ?>
|
||||
<?php
|
||||
if (isset($_SESSION['msg'])) {
|
||||
echo "<script type='text/javascript'> showAlert('".htmlspecialchars($_SESSION['msg'])."'); </script>";
|
||||
unset($_SESSION['msg']);
|
||||
} ?>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-01-16 23:01:33
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-03 22:14:39
|
||||
* @Last Modified time: 2016-05-12 21:54:14
|
||||
*/
|
||||
|
||||
class Utils
|
||||
@ -227,7 +227,9 @@ class Utils
|
||||
* @param string $url
|
||||
* @return null
|
||||
*/
|
||||
public static function redirect($url, $use_js = false) {
|
||||
public static function redirect($url, $msg = "", $use_js = false) {
|
||||
if ($msg != "") $_SESSION['msg'] = $msg;
|
||||
|
||||
if ($use_js)
|
||||
echo "<script>window.location = '$url';</script>";
|
||||
else
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-02-06 23:18:49
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-03 07:55:52
|
||||
* @Last Modified time: 2016-05-12 21:54:47
|
||||
*/
|
||||
session_start();
|
||||
$dir = dirname(dirname(__FILE__));
|
||||
@ -18,8 +18,8 @@ if(isset($_COOKIE['uname']) && isset($_COOKIE['token'])) {
|
||||
if (isset($_SESSION['uname'])) {
|
||||
$user = new User($_SESSION['uname']);
|
||||
if ($_SESSION['token'] != $user->getToken()) {
|
||||
Utils::redirect('../index.php?msg=无效的 token,请重新登录。');
|
||||
Utils::redirect('../index.php', '无效的 token,请重新登录。');
|
||||
}
|
||||
} else {
|
||||
Utils::redirect('../index.php?msg=非法访问,请先登录。');
|
||||
Utils::redirect('../index.php', '非法访问,请先登录。');
|
||||
}
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
* @Author: printempw
|
||||
* @Date: 2016-01-16 23:01:33
|
||||
* @Last Modified by: printempw
|
||||
* @Last Modified time: 2016-04-03 17:14:26
|
||||
* @Last Modified time: 2016-05-12 21:57:21
|
||||
*
|
||||
* Blessing Skin Server Installer
|
||||
*/
|
||||
@ -89,7 +89,7 @@ case 1: ?>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
<?php if (isset($_GET['msg'])) echo "<div class='alert alert-warning' role='alert'>".$_GET['msg']."</div>"; ?>
|
||||
<?php if (isset($_GET['msg'])) echo "<div class='alert alert-warning' role='alert'>".htmlspecialchars($_GET['msg'])."</div>"; ?>
|
||||
<p class="step"><input type="submit" name="Submit" id="submit" class="button button-large" value="开始安装" /></p>
|
||||
</form>
|
||||
<?php break;
|
||||
|
||||
@ -49,7 +49,7 @@
|
||||
$_SESSION['downloaded_version'] = $updater->latest_version;
|
||||
|
||||
} else {
|
||||
Utils::redirect('update.php', true);
|
||||
Utils::redirect('update.php', '', true);
|
||||
} ?>
|
||||
</div><!-- /.box-body -->
|
||||
<div class="box-footer">
|
||||
|
||||
Loading…
Reference in New Issue
Block a user