From b7d6f17402e22e3382ba62c70954e3a72243a935 Mon Sep 17 00:00:00 2001 From: BIngDiAn <32029400+BIngDiAn-cn@users.noreply.github.com> Date: Sat, 31 Dec 2022 02:14:39 +0800 Subject: [PATCH] =?UTF-8?q?=E5=B0=86htmlspecialchars=E6=94=B9=E4=B8=BAmac?= =?UTF-8?q?=5Ffilter=5Fxss=EF=BC=8C=E8=BF=87=E6=BB=A4xss=E6=94=BB=E5=87=BB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 将htmlspecialchars改为mac_filter_xss,过滤xss攻击 --- application/index/controller/User.php | 29 +++++++++++++++++---------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/application/index/controller/User.php b/application/index/controller/User.php index 78ac21d15..f99cf85a5 100644 --- a/application/index/controller/User.php +++ b/application/index/controller/User.php @@ -259,7 +259,14 @@ public function logincallback($type = '', $code = '') if ($res2['code'] > 1) { $data = []; $data['user_name'] = substr($openid, 0, 10); - $data['user_nick_name'] = htmlspecialchars(urldecode(trim($res['info']['name']))); + $data['user_nick_name'] = + + + + + + + specialchars(urldecode(trim($res['info']['name']))); $pwd = time(); $data['user_pwd'] = $pwd; $data['user_pwd2'] = $pwd; @@ -337,8 +344,8 @@ public function info() public function regcheck() { $param = input(); - $t = htmlspecialchars(urldecode(trim($param['t']))); - $str = htmlspecialchars(urldecode(trim($param['str']))); + $t = mac_filter_xss(urldecode(trim($param['t']))); + $str = mac_filter_xss(urldecode(trim($param['str']))); $res = model('User')->regcheck($t, $str); if ($res['code'] > 1) { return $str; @@ -435,8 +442,8 @@ public function buy() if (Request()->isPost()) { $flag = input('param.flag'); if ($flag == 'card') { - $card_no = htmlspecialchars(urldecode(trim($param['card_no']))); - $card_pwd = htmlspecialchars(urldecode(trim($param['card_pwd']))); + $card_no = mac_filter_xss(urldecode(trim($param['card_no']))); + $card_pwd = mac_filter_xss(urldecode(trim($param['card_pwd']))); $res = model('Card')->useData($card_no, $card_pwd, $GLOBALS['user']); return json($res); @@ -469,7 +476,7 @@ public function buy() public function pay() { $param = input(); - $order_code = htmlspecialchars(urldecode(trim($param['order_code']))); + $order_code = mac_filter_xss(urldecode(trim($param['order_code']))); $where = []; $where['order_code'] = $order_code; $where['user_id'] = $GLOBALS['user']['user_id']; @@ -492,9 +499,9 @@ public function gopay() { $param = input(); - $order_code = htmlspecialchars(urldecode(trim($param['order_code']))); + $order_code = mac_filter_xss(urldecode(trim($param['order_code']))); $order_id = intval((trim($param['order_id']))); - $payment = strtolower(htmlspecialchars(urldecode(trim($param['payment'])))); + $payment = strtolower(mac_filter_xss(urldecode(trim($param['payment'])))); if (empty($order_code) && empty($order_id) && empty($payment)) { return $this->error(lang('param_err')); @@ -683,7 +690,7 @@ public function ulog() public function ulog_del() { $param = input(); - $ids = htmlspecialchars(urldecode(trim($param['ids']))); + $ids = mac_filter_xss(urldecode(trim($param['ids']))); $type = $param['type']; $all = $param['all']; @@ -733,7 +740,7 @@ public function plog() public function plog_del() { $param = input(); - $ids = htmlspecialchars(urldecode(trim($param['ids']))); + $ids = mac_filter_xss(urldecode(trim($param['ids']))); $type = $param['type']; $all = $param['all']; @@ -784,7 +791,7 @@ public function cash() public function cash_del() { $param = input(); - $ids = htmlspecialchars(urldecode(trim($param['ids']))); + $ids = mac_filter_xss(urldecode(trim($param['ids']))); $type = $param['type']; $all = $param['all'];