Merge pull request #40 from helloxz/dev

v0.9.13

class/Api.php

@@ -18,11 +18,11 @@ public function __construct($db){
     public function add_category($token,$name,$property = 0,$weight = 0,$description = ''){
         $this->auth($token);
         $data = [
-            'name'          =>  $name,
+            'name'          =>  htmlspecialchars($name,ENT_QUOTES),
             'add_time'      =>  time(),
             'weight'        =>  $weight,
             'property'      =>  $property,
-            'description'   =>  $description
+            'description'   =>  htmlspecialchars($description,ENT_QUOTES)
         ];
         //插入分类目录
         $this->db->insert("on_categorys",$data);
@@ -59,11 +59,11 @@ public function edit_category($token,$id,$name,$property = 0,$weight = 0,$descri
         //更新数据库
         else{
             $data = [
-                'name'          =>  $name,
+                'name'          =>  htmlspecialchars($name,ENT_QUOTES),
                 'up_time'      =>  time(),
                 'weight'        =>  $weight,
                 'property'      =>  $property,
-                'description'   =>  $description
+                'description'   =>  htmlspecialchars($description,ENT_QUOTES)
             ];
             $re = $this->db->update('on_categorys',$data,[ 'id' => $id]);
             //var_dump( $this->db->log() );
@@ -159,9 +159,9 @@ public function add_link($token,$fid,$title,$url,$description = '',$weight = 0,$
         //合并数据
         $data = [
             'fid'           =>  $fid,
-            'title'         =>  $title,
+            'title'         =>  htmlspecialchars($title,ENT_QUOTES),
             'url'           =>  $url,
-            'description'   =>  $description,
+            'description'   =>  htmlspecialchars($description,ENT_QUOTES),
             'add_time'      =>  time(),
             'weight'        =>  $weight,
             'property'      =>  $property
@@ -309,9 +309,9 @@ public function edit_link($token,$id,$fid,$title,$url,$description = '',$weight
         //合并数据
         $data = [
             'fid'           =>  $fid,
-            'title'         =>  $title,
+            'title'         =>  htmlspecialchars($title,ENT_QUOTES),
             'url'           =>  $url,
-            'description'   =>  $description,
+            'description'   =>  htmlspecialchars($description,ENT_QUOTES),
             'up_time'       =>  time(),
             'weight'        =>  $weight,
             'property'      =>  $property
@@ -548,6 +548,16 @@ protected function getIP() {
         return $ip; 
     } 
 
-    //
+    /**
+     * name:检查弱密码
+     */
+    public function check_weak_password($token){
+        $this->auth($token);
+        //如果用户名、密码为初始密码，则提示修改
+        if ( ( USER == 'xiaoz' ) && ( PASSWORD == 'xiaoz.me' ) ) {
+            $this->err_msg(-1,'Weak password!');
+        }
+    }
+
 }
 

controller/api.php

@@ -14,7 +14,7 @@
 
 //获取请求方法
 $method = $_GET['method'];
-//对方法进行判断
+//对方法进行判断，对应URL路由：/index.php?c=api&method=xxx
 switch ($method) {
     case 'add_category':
         add_category($api);
@@ -51,6 +51,8 @@
         break;
     case 'imp_link':
         imp_link($api);
+    case 'check_weak_password':
+        check_weak_password($api);
         break;
     default:
         # code...
@@ -211,4 +213,10 @@ function imp_link($api) {
     $fid = intval($_POST['fid']);
     $property = intval(@$_POST['property']);
     $api->imp_link($token,$filename,$fid,$property);
+}
+//检查弱密码
+function check_weak_password($api) {
+    //获取token
+    $token = $_POST['token'];
+    $api->check_weak_password($token);
 }

data/update.log

@@ -22,4 +22,10 @@ CREATE INDEX on_options_key_IDX ON on_options ("key");
 20210726
 1. 修复后台QQ群2
 2. 后台添加社区支持链接
-3. 修复默认主题顶部遮挡问题
+3. 修复默认主题顶部遮挡问题
+
+20220211
+1. 简化安装过程，无需再手动修改配置安装
+2. 新增默认密码安全检测
+3. 默认模板增加手机登录按钮
+4. 修复一处XSS漏洞

index.php

@@ -12,7 +12,18 @@
 //$version = @file_get_contents("./functions/version.txt");
 //载入配置文件
 if( !file_exists('./data/config.php') ) {
-	exit('<h3>配置文件不存在，请将站点目录下的config.simple.php复制为data/config.php</h3>');
+	echo "<p>正在准备安装，请稍等...</p>";
+	//复制配置文件
+	if ( copy('config.simple.php','data/config.php') ) {
+		echo "安装完毕，默认用户名：xiaoz，密码：xiaoz.me，5s后跳转到登录页面。";
+		//跳转到登录页面
+		header("Refresh:5;url=/index.php?c=login");
+		exit();
+	} else{
+		exit("<p>复制配置文件失败，请检查权限是否正常，或手动将站点目录下的config.simple.php复制为data/config.php</p>");
+	}
+
+	//exit('<h3>配置文件不存在，请将站点目录下的config.simple.php复制为data/config.php</h3>');
 }
 //检查数据库是否存在，不存在则复制数据库
 if( !file_exists('./data/onenav.db3') ) {

templates/admin/footer.php

@@ -1,6 +1,6 @@
 <div class="layui-footer">
     <!-- 底部固定区域 -->
-    © Copyright 2021.Powered by <a href="https://github.com/helloxz/onenav" rel = "nofollow" target="_blank">OneNav</a>.
+    © Copyright 2022.Powered by <a href="https://github.com/helloxz/onenav" rel = "nofollow" target="_blank">OneNav</a>.
   </div>
 </div>
 <script src = 'https://libs.xiaoz.top/jquery/2.2.4/jquery.min.js'></script>

templates/admin/index.php

@@ -40,3 +40,6 @@
   </div>
 
 <?php include_once('footer.php'); ?>
+<script>
+  check_weak_password();
+</script>

templates/admin/login.php

@@ -44,6 +44,10 @@
   <div class="layui-form-item">
     <button class="layui-btn" lay-submit lay-filter="login" style = "width:100%;">登录</button>
   </div>
+  
+  <div class="layui-form-item layui-hide-sm layui-hide-md layui-hide-lg">
+    <button class="layui-btn" lay-submit lay-filter="mobile_login" style = "width:100%;">手机登录</button>
+  </div>
 
   
 </form>

templates/admin/static/embed.js

@@ -191,7 +191,6 @@ layui.use(['element','table','layer','form','upload'], function(){
   });
 
   //登录
-  //添加链接
   form.on('submit(login)', function(data){
     $.post('/index.php?c=login&check=login',data.field,function(data,status){
       //如果添加成功
@@ -205,6 +204,20 @@ layui.use(['element','table','layer','form','upload'], function(){
     console.log(data.field) //当前容器的全部表单字段，名值对形式：{name: value}
     return false; //阻止表单跳转。如果需要表单跳转，去掉这段即可。
   });
+  //手机登录
+  form.on('submit(mobile_login)', function(data){
+    $.post('/index.php?c=login&check=login',data.field,function(data,status){
+      //如果登录成功
+      if(data.code == 0) {
+        window.location.href = '/';
+      }
+      else{
+        layer.msg(data.err_msg, {icon: 5});
+      }
+    });
+    console.log(data.field) //当前容器的全部表单字段，名值对形式：{name: value}
+    return false; //阻止表单跳转。如果需要表单跳转，去掉这段即可。
+  });
 
   //添加分类目录
   form.on('submit(add_category)', function(data){
@@ -400,4 +413,20 @@ function del_category(id){
 
     layer.close(index);
     });
-}
+}
+
+//弱密码检查
+function check_weak_password(){
+  $.get("/index.php?c=api&method=check_weak_password",function(data,status){
+    if (data.err_msg === 'Weak password!') {
+      layui.use('layer', function(){
+        var layer = layui.layer;
+
+        layer.open({
+          title:'风险提示！',
+          content: '系统检测到您使用的默认密码，请参考<a href = "https://dwz.ovh/ze1ts" target = "_blank" style = "color:#01AAED;">帮助文档</a>尽快修改！' //这里content是一个普通的String
+        });
+      });   
+    }
+  });
+}

templates/default/index.php

@@ -100,6 +100,22 @@
 			<div class="mdui-list-item-content category-name"><i class="fa fa-user-circle"></i> About</div>
 			</li>
 		</a>
+
+		<?php
+			if ( !is_login() ) {
+		?>
+		<a href="/index.php?c=login" title="手机登录" class="mdui-hidden-sm-up">
+			<li class="mdui-list-item mdui-ripple">
+			<div class="mdui-list-item-content category-name"><i class="fa fa-dashboard"></i> 登录</div>
+			</li>
+		</a>
+		<?php } else { ?>
+		<a href="/index.php?c=admin&page=logout" title="退出" class="mdui-hidden-sm-up">
+			<li class="mdui-list-item mdui-ripple">
+			<div class="mdui-list-item-content category-name"><i class="fa fa-dashboard"></i> 退出</div>
+		</li>
+		</a>
+		<?php } ?>
 	  </ul>
 	</div>
 	<!--左侧抽屉导航END-->
@@ -179,7 +195,7 @@
 	<!--正文内容部分END-->
 	<!-- footer部分 -->
 	<footer>
-		© 2021 Powered by <a target = "_blank" href="https://github.com/helloxz/onenav" title = "简约导航/书签管理器" rel = "nofollow">OneNav</a>.The author is <a href="https://www.xiaoz.me/" target="_blank" title = "小z博客">xiaoz.me</a>
+		© 2022 Powered by <a target = "_blank" href="https://github.com/helloxz/onenav" title = "简约导航/书签管理器" rel = "nofollow">OneNav</a>.The author is <a href="https://www.xiaoz.me/" target="_blank" title = "小z博客">xiaoz.me</a>
 	</footer>
 	<!-- footerend -->
 </body>

version.txt

@@ -1 +1 @@
-v0.9.12-20210726
+v0.9.13-20220214