From d2eda66cb7900dfb8b3caa25f57d7b5698a22f96 Mon Sep 17 00:00:00 2001
From: zmister <zmister@qq.com>
Date: Tue, 7 Sep 2021 23:48:06 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=E6=96=87=E6=A1=A3=E5=90=8D?=
 =?UTF-8?q?=E7=A7=B0=E7=9A=84XSS=E8=BF=87=E6=BB=A4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app_doc/views.py                        | 48 +++++++++++++++++++++++++
 template/app_admin/admin_doc.html       |  4 +--
 template/app_doc/manage/manage_doc.html |  4 +--
 3 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/app_doc/views.py b/app_doc/views.py
index 60981e6..61f07c6 100644
--- a/app_doc/views.py
+++ b/app_doc/views.py
@@ -36,6 +36,53 @@ import hashlib
 import markdown
 
 
+# HTML转义
+def jsonXssFilter(data):
+    payloads = {
+        '\'':'&apos;',
+        '"':'&quot;',
+        '<':'&lt;',
+        '>':'&gt;'
+    }
+    if type(data) == dict:
+        new = {}
+        for key,values in data.items():
+            new[key] = jsonXssFilter(values)
+    elif type(data) == list:
+        new = []
+        for i in data:
+            new.append(jsonXssFilter(i))
+    elif type(data) == int or type(data) == float:
+        new = data
+    elif type(data) == str:
+        new = data
+        for key,value in payloads.items():
+            new = new.replace(key,value)
+    elif type(data) ==bytes:
+        new = data
+    else:
+        print('>>> unknown type:')
+        print(type(data))
+        new = data
+    return new
+
+
+def html_filter(data):
+    if len(data) == 0:
+        return ""
+    payloads = {
+        '\'':'&apos;',
+        '"':'&quot;',
+        '<':'&lt;',
+        '>':'&gt;'
+    }
+    new = data
+    for key, value in payloads.items():
+        new = new.replace(key, value)
+    print(new)
+    return new
+
+
 # 替换前端传来的非法字符
 def validateTitle(title):
   rstr = r"[\/\\\:\*\?\"\<\>\|\[\]]" # '/ \ : * ? " < > |'
@@ -2071,6 +2118,7 @@ def get_pro_doc_tree(request):
             # 如果一级文档没有下级文档，直接保存
             else:
                 doc_list.append(top_item)
+        doc_list = jsonXssFilter(doc_list)
         return JsonResponse({'status':True,'data':doc_list})
     else:
         return JsonResponse({'status':False,'data':_('参数错误')})
diff --git a/template/app_admin/admin_doc.html b/template/app_admin/admin_doc.html
index 8ac5369..6904897 100644
--- a/template/app_admin/admin_doc.html
+++ b/template/app_admin/admin_doc.html
@@ -66,11 +66,11 @@
     {% verbatim %}
         {{#if (d.status == 1) { }}
             <span class="layui-badge-dot layui-bg-blue"></span>
-            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{d.name}}</a>
+            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{=d.name}}</a>
         {{# }else if(d.status == 0){ }}
             <!-- <i class="layui-icon layui-icon-release" style="cursor: pointer;" onclick="fastPubDoc('{{d.id}}')" title="草稿状态，点击一键发布"></i>&nbsp; -->
             <span class="layui-badge-dot layui-bg-orange"></span>
-            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{d.name}}">{{ d.name }} </a>
+            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{=d.name}}">{{=d.name}} </a>
         {{# } }}
         {{#if (d.editor_mode in [1,2,3]) { }}
             <i class="layui-icon layui-icon-form" title="普通文档"</i>
diff --git a/template/app_doc/manage/manage_doc.html b/template/app_doc/manage/manage_doc.html
index e36606b..dfcfcfd 100644
--- a/template/app_doc/manage/manage_doc.html
+++ b/template/app_doc/manage/manage_doc.html
@@ -77,10 +77,10 @@
     {% verbatim %}
         {{#if (d.status == 1) { }}
             <span class="layui-badge-dot layui-bg-blue"></span>
-            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{d.name}}</a>
+            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{=d.name}}</a>
         {{# }else if(d.status == 0){ }}
             <span class="layui-badge-dot layui-bg-orange"></span>
-            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{d.name}}">{{ d.name }} </a>
+            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{=d.name}}">{{=d.name}} </a>
         {{# } }}
         {{#if (d.editor_mode in [1,2,3]) { }}
             <i class="layui-icon layui-icon-form" title="普通文档"</i>