优化文档名称的XSS过滤

2021-09-07 23:48:06 +08:00 · 2021-09-07 23:48:06 +08:00 · d2eda66cb7
commit d2eda66cb7
parent 00c26e9c7c
3 changed files with 52 additions and 4 deletions
--- a/app_doc/views.py
+++ b/app_doc/views.py
@ -36,6 +36,53 @@ import hashlib
 import markdown


+# HTML转义
+def jsonXssFilter(data):
+    payloads = {
+        '\'':'&apos;',
+        '"':'&quot;',
+        '<':'&lt;',
+        '>':'&gt;'
+    }
+    if type(data) == dict:
+        new = {}
+        for key,values in data.items():
+            new[key] = jsonXssFilter(values)
+    elif type(data) == list:
+        new = []
+        for i in data:
+            new.append(jsonXssFilter(i))
+    elif type(data) == int or type(data) == float:
+        new = data
+    elif type(data) == str:
+        new = data
+        for key,value in payloads.items():
+            new = new.replace(key,value)
+    elif type(data) ==bytes:
+        new = data
+    else:
+        print('>>> unknown type:')
+        print(type(data))
+        new = data
+    return new
+
+
+def html_filter(data):
+    if len(data) == 0:
+        return ""
+    payloads = {
+        '\'':'&apos;',
+        '"':'&quot;',
+        '<':'&lt;',
+        '>':'&gt;'
+    }
+    new = data
+    for key, value in payloads.items():
+        new = new.replace(key, value)
+    print(new)
+    return new
+
+
 # 替换前端传来的非法字符
 def validateTitle(title):
  rstr = r"[\/\\\:\*\?\"\<\>\|\[\]]" # '/ \ : * ? " < > |'
@ -2071,6 +2118,7 @@ def get_pro_doc_tree(request):
            # 如果一级文档没有下级文档，直接保存
            else:
                doc_list.append(top_item)
+        doc_list = jsonXssFilter(doc_list)
        return JsonResponse({'status':True,'data':doc_list})
    else:
        return JsonResponse({'status':False,'data':_('参数错误')})
--- a/template/app_admin/admin_doc.html
+++ b/template/app_admin/admin_doc.html
@ -66,11 +66,11 @@
    {% verbatim %}
        {{#if (d.status == 1) { }}
            <span class="layui-badge-dot layui-bg-blue"></span>
-            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{d.name}}</a>
+            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{=d.name}}</a>
        {{# }else if(d.status == 0){ }}
            <!-- <i class="layui-icon layui-icon-release" style="cursor: pointer;" onclick="fastPubDoc('{{d.id}}')" title="草稿状态，点击一键发布"></i>&nbsp; -->
            <span class="layui-badge-dot layui-bg-orange"></span>
-            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{d.name}}">{{ d.name }} </a>
+            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{=d.name}}">{{=d.name}} </a>
        {{# } }}
        {{#if (d.editor_mode in [1,2,3]) { }}
            <i class="layui-icon layui-icon-form" title="普通文档"</i>
--- a/template/app_doc/manage/manage_doc.html
+++ b/template/app_doc/manage/manage_doc.html
@ -77,10 +77,10 @@
    {% verbatim %}
        {{#if (d.status == 1) { }}
            <span class="layui-badge-dot layui-bg-blue"></span>
-            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{d.name}}</a>
+            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{=d.name}}</a>
        {{# }else if(d.status == 0){ }}
            <span class="layui-badge-dot layui-bg-orange"></span>
-            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{d.name}}">{{ d.name }} </a>
+            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{=d.name}}">{{=d.name}} </a>
        {{# } }}
        {{#if (d.editor_mode in [1,2,3]) { }}
            <i class="layui-icon layui-icon-form" title="普通文档"</i>