From 45af08923cb265b3cb6f0fa9ef0ab592628a4961 Mon Sep 17 00:00:00 2001 From: Baoshuo Date: Tue, 14 Feb 2023 18:52:31 +0800 Subject: [PATCH] fix: title escape --- web/app/controllers/add_contest.php | 98 ++++++------ web/app/controllers/contest_manage.php | 202 ++++++++++++------------- web/app/controllers/group_manage.php | 2 +- web/app/controllers/list_manage.php | 2 +- web/app/models/HTML.php | 9 ++ 5 files changed, 150 insertions(+), 163 deletions(-) diff --git a/web/app/controllers/add_contest.php b/web/app/controllers/add_contest.php index 35c924f..ba54869 100644 --- a/web/app/controllers/add_contest.php +++ b/web/app/controllers/add_contest.php @@ -5,67 +5,57 @@ Auth::check() || redirectToLogin(); UOJContest::userCanCreateContest(Auth::user()) || UOJResponse::page403(); $time_form = new UOJForm('time'); -$time_form->addInput( - 'name', - [ - 'label' => UOJLocale::get('contests::contest name'), - 'default_value' => 'New Contest', - 'validator_php' => function ($name, &$vdata) { - if ($name == '') { - return '标题不能为空'; - } +$time_form->addInput('name', [ + 'label' => UOJLocale::get('contests::contest name'), + 'default_value' => 'New Contest', + 'validator_php' => function ($name, &$vdata) { + if ($name == '') { + return '标题不能为空'; + } - if (strlen($name) > 100) { - return '标题过长'; - } + if (strlen($name) > 100) { + return '标题过长'; + } - $name = HTML::escape($name); + $name = HTML::escape($name); + if ($name === '') { + return '无效编码'; + } - if ($name === '') { - return '无效编码'; - } + $vdata['name'] = $name; - $vdata['name'] = $name; + return ''; + }, +]); +$time_form->addInput('start_time', [ + 'div_class' => 'mt-2', + 'label' => UOJLocale::get('contests::start time'), + 'default_value' => UOJTime::$time_now_str, + 'validator_php' => function ($str, &$vdata) { + try { + $vdata['start_time'] = new DateTime($str); + } catch (Exception $e) { + return '无效时间格式'; + } - return ''; - }, - ] -); -$time_form->addInput( - 'start_time', - [ - 'div_class' => 'mt-2', - 'label' => UOJLocale::get('contests::start time'), - 'default_value' => UOJTime::$time_now_str, - 'validator_php' => function ($str, &$vdata) { - try { - $vdata['start_time'] = new DateTime($str); - } catch (Exception $e) { - return '无效时间格式'; - } + return ''; + }, +]); +$time_form->addInput('last_min', [ + 'div_class' => 'mt-2', + 'label' => UOJLocale::get('contests::duration'), + 'default_value' => '180', + 'help' => '单位为分钟。', + 'validator_php' => function ($str, &$vdata) { + if (!validateUInt($str)) { + return '必须为一个整数'; + } - return ''; - }, - ] -); -$time_form->addInput( - 'last_min', - [ - 'div_class' => 'mt-2', - 'label' => UOJLocale::get('contests::duration'), - 'default_value' => '180', - 'help' => '单位为分钟。', - 'validator_php' => function ($str, &$vdata) { - if (!validateUInt($str)) { - return '必须为一个整数'; - } + $vdata['last_min'] = $str; - $vdata['last_min'] = $str; - - return ''; - }, - ] -); + return ''; + }, +]); $time_form->handle = function (&$vdata) { $start_time_str = $vdata['start_time']->format('Y-m-d H:i:s'); diff --git a/web/app/controllers/contest_manage.php b/web/app/controllers/contest_manage.php index aa54f28..9c3ae5b 100644 --- a/web/app/controllers/contest_manage.php +++ b/web/app/controllers/contest_manage.php @@ -37,64 +37,55 @@ if (!isset($tabs_info[$cur_tab])) { if ($cur_tab == 'profile') { $profile_form = new UOJForm('time'); - $profile_form->addInput( - 'name', - [ - 'label' => '比赛标题', - 'default_value' => UOJContest::info('name'), - 'validator_php' => function ($name, &$vdata) { - if ($name == '') { - return '标题不能为空'; - } + $profile_form->addInput('name', [ + 'label' => '比赛标题', + 'default_value' => HTML::unescape(UOJContest::info('name')), + 'validator_php' => function ($name, &$vdata) { + if ($name == '') { + return '标题不能为空'; + } - if (strlen($name) > 100) { - return '标题过长'; - } + if (strlen($name) > 100) { + return '标题过长'; + } - $name = HTML::escape($name); + $name = HTML::escape($name); - if ($name === '') { - return '无效编码'; - } + if ($name === '') { + return '无效编码'; + } - $vdata['name'] = $name; + $vdata['name'] = $name; - return ''; - }, - ], - ); - $profile_form->addInput( - 'start_time', - [ - 'div_class' => 'mt-3', - 'label' => '开始时间', - 'default_value' => UOJContest::info('start_time_str'), - 'validator_php' => function ($start_time, &$vdata) { - try { - $vdata['start_time'] = new DateTime($start_time); - } catch (Exception $e) { - return '无效时间格式'; - } - return ''; - }, - ] - ); - $profile_form->addInput( - 'last_min', - [ - 'div_class' => 'mt-3', - 'label' => '时长', - 'help' => '单位为分钟。', - 'default_value' => UOJContest::info('last_min'), - 'validator_php' => function ($last_min, &$vdata) { - if (!validateUInt($last_min)) { - return '必须为一个整数'; - } - $vdata['last_min'] = $last_min; - return ''; - }, - ] - ); + return ''; + }, + ]); + $profile_form->addInput('start_time', [ + 'div_class' => 'mt-3', + 'label' => '开始时间', + 'default_value' => UOJContest::info('start_time_str'), + 'validator_php' => function ($start_time, &$vdata) { + try { + $vdata['start_time'] = new DateTime($start_time); + } catch (Exception $e) { + return '无效时间格式'; + } + return ''; + }, + ]); + $profile_form->addInput('last_min', [ + 'div_class' => 'mt-3', + 'label' => '时长', + 'help' => '单位为分钟。', + 'default_value' => UOJContest::info('last_min'), + 'validator_php' => function ($last_min, &$vdata) { + if (!validateUInt($last_min)) { + return '必须为一个整数'; + } + $vdata['last_min'] = $last_min; + return ''; + }, + ]); $profile_form->handle = function (&$vdata) { DB::update([ "update contests", @@ -108,24 +99,24 @@ if ($cur_tab == 'profile') { dieWithJsonData(['status' => 'success', 'message' => '修改成功']); }; $profile_form->setAjaxSubmit(<<runAtServer(); } elseif ($cur_tab == 'problems') { if (isset($_POST['submit-remove_problem']) && $_POST['submit-remove_problem'] == 'remove_problem') { @@ -163,30 +154,27 @@ EOD); } $add_problem_form = new UOJForm('add_problem'); - $add_problem_form->addInput( - 'problem_id', - [ - 'label' => '题目 ID', - 'validator_php' => function ($problem_id, &$vdata) { - $problem = UOJProblem::query($problem_id); - if (!$problem) { - return '题目不存在。'; - } + $add_problem_form->addInput('problem_id', [ + 'label' => '题目 ID', + 'validator_php' => function ($problem_id, &$vdata) { + $problem = UOJProblem::query($problem_id); + if (!$problem) { + return '题目不存在。'; + } - if (!$problem->userCanManage(Auth::user())) { - return "无权添加此题目。"; - } + if (!$problem->userCanManage(Auth::user())) { + return "无权添加此题目。"; + } - if (UOJContest::cur()->hasProblem($problem)) { - return "题目已经在本场比赛中。"; - } + if (UOJContest::cur()->hasProblem($problem)) { + return "题目已经在本场比赛中。"; + } - $vdata['problem_id'] = $problem_id; + $vdata['problem_id'] = $problem_id; - return ''; - }, - ] - ); + return ''; + }, + ]); $add_problem_form->addSelect('judge_config', [ 'div_class' => 'mt-3', 'label' => '评测设置', @@ -241,24 +229,24 @@ EOD); $add_problem_form->config['submit_button']['text'] = '添加'; $add_problem_form->config['submit_button']['class'] = 'btn btn-secondary mt-3'; $add_problem_form->setAjaxSubmit(<<runAtServer(); } elseif ($cur_tab == 'managers') { $managers_form = newAddDelCmdForm( diff --git a/web/app/controllers/group_manage.php b/web/app/controllers/group_manage.php index d50610f..4a2e3f1 100644 --- a/web/app/controllers/group_manage.php +++ b/web/app/controllers/group_manage.php @@ -32,7 +32,7 @@ if ($cur_tab == 'profile') { $update_profile_form = new UOJForm('update_profile'); $update_profile_form->addInput('name', [ 'label' => '名称', - 'default_value' => UOJGroup::info('title'), + 'default_value' => HTML::unescape(UOJGroup::info('title')), 'validator_php' => function ($title, &$vdata) { if ($title == '') { return '名称不能为空'; diff --git a/web/app/controllers/list_manage.php b/web/app/controllers/list_manage.php index 807d748..94f28b9 100644 --- a/web/app/controllers/list_manage.php +++ b/web/app/controllers/list_manage.php @@ -26,7 +26,7 @@ if ($cur_tab == 'profile') { $update_profile_form = new UOJForm('update_profile'); $update_profile_form->addInput('name', [ 'label' => '标题', - 'default_value' => UOJList::info('title'), + 'default_value' => HTML::unescape(UOJList::info('title')), 'validator_php' => function ($title, &$vdata) { if ($title == '') { return '标题不能为空'; diff --git a/web/app/models/HTML.php b/web/app/models/HTML.php index aeab070..b022553 100644 --- a/web/app/models/HTML.php +++ b/web/app/models/HTML.php @@ -11,6 +11,15 @@ class HTML { return htmlspecialchars($str); } } + + public static function unescape(?string $str) { + if ($str === null) { + return ''; + } else { + return htmlspecialchars_decode($str); + } + } + public static function stripTags($str) { return strip_tags($str); }