修复投稿XSS，搜素sql注入的漏洞

arterli · Jul 5, 2018 · 4b88af9 · 4b88af9
1 parent 2b60880
commit 4b88af9
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 4 deletions.
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "CMSWing",
   "description": "基于ThinkJS(Node.js MVC)和MySQL的功能强大的电子商务平台及CMS建站系统",
-  "version": "1.3.5",
+  "version": "1.3.6",
   "scripts": {
     "start": "node development.js",
     "lint": "eslint src/",

diff --git a/src/controller/home/search.js b/src/controller/home/search.js
@@ -25,7 +25,7 @@ module.exports = class extends think.cmswing.center {
     } else {
       const time = this.get('d');
       let search_time, sql_time, sql;
-      const m_id = this.get('m') || 0;
+      const m_id = Number(this.get('m')) || 0;
       // 按时间搜索
       if (time == 'day') {
         search_time = new Date().getTime() - 86400000;
@@ -81,7 +81,6 @@ module.exports = class extends think.cmswing.center {
           sql += sql_time;
         }
       }
-
       const numsPerPage = 10;
       const currentPage = Number(this.get('page')) || 1;
       const count = await this.model('mysql').query(`SELECT count(search_id) FROM __SEARCH__ WHERE ${sql}`);

diff --git a/view/admin/approval_index.html b/view/admin/approval_index.html
@@ -50,7 +50,7 @@
                     <tr>
                         <td><label class="checkbox m-n i-checks"><input class="ids" type="checkbox" name="ids" value="{{item.id}}"><i></i></label></td>
                         <td><a href="/admin/user/showuser/?id={{item.uid}}" class="text-info" data-toggle="ajaxModal">{{item.uid|get_nickname}}</a></td>
-                        <td><a href="/admin/approval/details/?id={{item.id}}" class="text-info" data-toggle="ajaxModal">{{item.title}} <i class="fa fa-search-plus"></i> </a> </td>
+                        <td>{{item.title|delhtmltags}}   </td>
                         <td>{{item.time | moment('YYYY-MM-DD HH:mm:ss')}}</td>