优化文档名称的XSS过滤

zmister2016 · Sep 7, 2021 · d2eda66 · d2eda66
1 parent 00c26e9
commit d2eda66
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 4 deletions.
diff --git a/app_doc/views.py b/app_doc/views.py
@@ -36,6 +36,53 @@
 import markdown
 
 
+# HTML转义
+def jsonXssFilter(data):
+    payloads = {
+        '\'':'&apos;',
+        '"':'&quot;',
+        '<':'&lt;',
+        '>':'&gt;'
+    }
+    if type(data) == dict:
+        new = {}
+        for key,values in data.items():
+            new[key] = jsonXssFilter(values)
+    elif type(data) == list:
+        new = []
+        for i in data:
+            new.append(jsonXssFilter(i))
+    elif type(data) == int or type(data) == float:
+        new = data
+    elif type(data) == str:
+        new = data
+        for key,value in payloads.items():
+            new = new.replace(key,value)
+    elif type(data) ==bytes:
+        new = data
+    else:
+        print('>>> unknown type:')
+        print(type(data))
+        new = data
+    return new
+
+
+def html_filter(data):
+    if len(data) == 0:
+        return ""
+    payloads = {
+        '\'':'&apos;',
+        '"':'&quot;',
+        '<':'&lt;',
+        '>':'&gt;'
+    }
+    new = data
+    for key, value in payloads.items():
+        new = new.replace(key, value)
+    print(new)
+    return new
+
+
 # 替换前端传来的非法字符
 def validateTitle(title):
   rstr = r"[\/\\\:\*\?\"\<\>\|\[\]]" # '/ \ : * ? " < > |'
@@ -2071,6 +2118,7 @@ def get_pro_doc_tree(request):
             # 如果一级文档没有下级文档，直接保存
             else:
                 doc_list.append(top_item)
+        doc_list = jsonXssFilter(doc_list)
         return JsonResponse({'status':True,'data':doc_list})
     else:
         return JsonResponse({'status':False,'data':_('参数错误')})

diff --git a/template/app_admin/admin_doc.html b/template/app_admin/admin_doc.html
@@ -66,11 +66,11 @@
     {% verbatim %}
         {{#if (d.status == 1) { }}
             <span class="layui-badge-dot layui-bg-blue"></span>
-            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{d.name}}</a>
+            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{=d.name}}</a>
         {{# }else if(d.status == 0){ }}
             <!-- <i class="layui-icon layui-icon-release" style="cursor: pointer;" onclick="fastPubDoc('{{d.id}}')" title="草稿状态，点击一键发布"></i>&nbsp; -->
             <span class="layui-badge-dot layui-bg-orange"></span>
-            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{d.name}}">{{ d.name }} </a>
+            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{=d.name}}">{{=d.name}} </a>
         {{# } }}
         {{#if (d.editor_mode in [1,2,3]) { }}
             <i class="layui-icon layui-icon-form" title="普通文档"</i>

diff --git a/template/app_doc/manage/manage_doc.html b/template/app_doc/manage/manage_doc.html
@@ -77,10 +77,10 @@
     {% verbatim %}
         {{#if (d.status == 1) { }}
             <span class="layui-badge-dot layui-bg-blue"></span>
-            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{d.name}}</a>
+            <a href="/project-{{d.project_id}}/doc-{{d.id}}" target="_blank">{{=d.name}}</a>
         {{# }else if(d.status == 0){ }}
             <span class="layui-badge-dot layui-bg-orange"></span>
-            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{d.name}}">{{ d.name }} </a>
+            <a href="/modify_doc/{{d.id}}/" target="_blank" title="修改文档：{{=d.name}}">{{=d.name}} </a>
         {{# } }}
         {{#if (d.editor_mode in [1,2,3]) { }}
             <i class="layui-icon layui-icon-form" title="普通文档"</i>