baoshuo/S2OJ
baoshuo/S2OJ
1
1
Fork 0
mirror of https://github.com/renbaoshuo/S2OJ.git synced 2024-11-22 23:58:41 +00:00
Code Issues Actions Packages Releases Activity

fix: use rawurlencode
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Baoshuo Ren 2022-09-29 07:41:45 +08:00
parent a4786d1395
commit 0d5f22cc06
Signed by: baoshuo
GPG Key ID: 00CB9680AB29F51A
3 changed files with 6 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
web/app/controllers/user_info.php
View File

@ -41,7 +41,7 @@
<?php $motto_id = uniqid("motto-{$user['username']}-"); ?> <?php $motto_id = uniqid("motto-{$user['username']}-"); ?>
<div class="card-text" id="<?= $motto_id ?>"></div> <div class="card-text" id="<?= $motto_id ?>"></div>
<script type="text/javascript"> <script type="text/javascript">
$(function() { $('#<?= $motto_id ?>').html(DOMPurify.sanitize(decodeURIComponent("<?= urlencode($user['motto']) ?>"), <?= DOM_SANITIZE_CONFIG ?>)); }); $(function() { $('#<?= $motto_id ?>').html(DOMPurify.sanitize(decodeURIComponent("<?= rawurlencode($user['motto']) ?>"), <?= DOM_SANITIZE_CONFIG ?>)); });
</script> </script>
</div> </div>
<ul class="list-group list-group-flush"> <ul class="list-group list-group-flush">
@ -199,13 +199,10 @@
</div> </div>
<div class="list-group-item"> <div class="list-group-item">
<h4 class="list-group-item-heading"><?= UOJLocale::get('motto') ?></h4> <h4 class="list-group-item-heading"><?= UOJLocale::get('motto') ?></h4>
<?php <?php $motto_id = uniqid("motto-{$user['username']}-"); ?>
$motto_id = uniqid("motto-{$user['username']}-");
$dom_sanitize_config = DOM_SANITIZE_CONFIG;
?>
<p class="list-group-item-text" id="<?= $motto_id ?>"></p> <p class="list-group-item-text" id="<?= $motto_id ?>"></p>
<script type="text/javascript"> <script type="text/javascript">
$(function() { $('#<?= $motto_id ?>').html(DOMPurify.sanitize('<?= addslashes($user['motto']) ?>', <?= $dom_sanitize_config ?>)); }); $(function() { $('#<?= $motto_id ?>').html(DOMPurify.sanitize('<?= addslashes($user['motto']) ?>', <?= DOM_SANITIZE_CONFIG ?>)); });
</script> </script>
</div> </div>

4
web/app/libs/uoj-html-lib.php
View File

@ -1347,10 +1347,10 @@ function echoRanklist($config = array()) {
echo '<td>' . getUserLink($user['username']) . '</td>'; echo '<td>' . getUserLink($user['username']) . '</td>';
$motto_id = uniqid("motto-{$user['username']}-"); $motto_id = uniqid("motto-{$user['username']}-");
echo "<td id=\"$motto_id\"></td>"; echo "<td id=\"$motto_id\"></td>";
$motto = addslashes($user['motto']); $motto = rawurlencode($user['motto']);
$dom_sanitize_config = DOM_SANITIZE_CONFIG; $dom_sanitize_config = DOM_SANITIZE_CONFIG;
echo '<script type="text/javascript">'; echo '<script type="text/javascript">';
echo "$(function() { $('#$motto_id').html(DOMPurify.sanitize('{$motto}', $dom_sanitize_config)); });"; echo "$(function() { $('#$motto_id').html(DOMPurify.sanitize(decodeURIComponent(\"{$motto}\"), $dom_sanitize_config)); });";
echo '</script>'; echo '</script>';
echo '<td>' . $user['ac_num'] . '</td>'; echo '<td>' . $user['ac_num'] . '</td>';
echo '</tr>'; echo '</tr>';

2
web/app/views/page-header.php
View File

@ -318,7 +318,7 @@
<div id="announcement-content-<?= $group['id'] ?>"></div> <div id="announcement-content-<?= $group['id'] ?>"></div>
<script>(function(){ <script>(function(){
$('#announcement-content-<?= $group['id'] ?>') $('#announcement-content-<?= $group['id'] ?>')
.html(DOMPurify.sanitize(decodeURIComponent("<?= urlencode($group_announcement) ?>"), <?= DOM_SANITIZE_CONFIG ?>)); .html(DOMPurify.sanitize(decodeURIComponent("<?= rawurlencode($group_announcement) ?>"), <?= DOM_SANITIZE_CONFIG ?>));
})();</script> })();</script>
<?php else: ?> <?php else: ?>
<div>(暂无公告)</div> <div>(暂无公告)</div>