Domů Procházet Nápověda
Přihlásit se
eta_gn_server
/
eta_api
2
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Procházet zdrojové kódy

提示非法内容

xyxie před 1 rokem
rodič
0915735e28
revize
324667c738
4 změnil soubory, kde provedl 121 přidání a 9 odebrání
Rozdělené zobrazení Ukázat statistiku rozdílových dat
  1. 18 3
      controllers/english_report/report.go
  2. 30 5
      controllers/report.go
  3. 6 1
      services/report.go
  4. 67 0
      utils/common.go

+ 18 - 3
controllers/english_report/report.go
Zobrazit soubor 

@@ -65,7 +65,12 @@ func (this *EnglishReportController) Add() {
 
 
 	var contentSub string
 
 	if req.Content != "" {
 
-		req.Content = utils.ContentXssFilter(req.Content)
 
+		e := utils.ContentXssCheck(req.Content)
 
+		if e != nil {
 
+			br.Msg = "存在非法标签"
 
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
 
+			return
 
+		}
 
 		content, e := services.FilterReportContentBr(req.Content)
 
 		if e != nil {
 
 			br.Msg = "内容去除前后空格失败"
 
@@ -183,7 +188,12 @@ func (this *EnglishReportController) Edit() {
 
 	}
 
 	var contentSub string
 
 	if req.Content != "" {
 
-		req.Content = utils.ContentXssFilter(req.Content)
 
+		e := utils.ContentXssCheck(req.Content)
 
+		if e != nil {
 
+			br.Msg = "存在非法标签"
 
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
 
+			return
 
+		}
 
 		content, e := services.FilterReportContentBr(req.Content)
 
 		if e != nil {
 
 			br.Msg = "内容去除前后空格失败"
 
@@ -1015,7 +1025,12 @@ func (this *EnglishReportController) SaveReportContent() {
 
 			content = this.GetString("Content")
 
 		}
 
 		if content != "" {
 
-			req.Content = utils.ContentXssFilter(req.Content)
 
+			e := utils.ContentXssCheck(req.Content)
 
+			if e != nil {
 
+				br.Msg = "存在非法标签"
 
+				br.ErrMsg = "存在非法标签, Err: " + e.Error()
 
+				return
 
+			}
 
 			contentClean, e := services.FilterReportContentBr(req.Content)
 
 			if e != nil {
 
 				br.Msg = "内容去除前后空格失败"

+ 30 - 5
controllers/report.go
Zobrazit soubor 

@@ -525,7 +525,12 @@ func (this *ReportController) Add() {
 
 	}
 
 	var contentSub string
 
 	if req.Content != "" {
 
-		req.Content = utils.ContentXssFilter(req.Content)
 
+		e := utils.ContentXssCheck(req.Content)
 
+		if e != nil {
 
+			br.Msg = "存在非法标签"
 
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
 
+			return
 
+		}
 
 		content, e := services.FilterReportContentBr(req.Content)
 
 		if e != nil {
 
 			br.Msg = "内容去除前后空格失败"
 
@@ -658,7 +663,12 @@ func (this *ReportController) Edit() {
 
 	}
 
 	var contentSub string
 
 	if req.Content != "" {
 
-		req.Content = utils.ContentXssFilter(req.Content)
 
+		e := utils.ContentXssCheck(req.Content)
 
+		if e != nil {
 
+			br.Msg = "存在非法标签"
 
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
 
+			return
 
+		}
 
 		content, e := services.FilterReportContentBr(req.Content)
 
 		if e != nil {
 
 			br.Msg = "内容去除前后空格失败"
 
@@ -1205,7 +1215,12 @@ func (this *ReportController) SaveReportContent() {
 
 			content = this.GetString("Content")
 
 		}
 
 		if content != "" {
 
-			req.Content = utils.ContentXssFilter(req.Content)
 
+			e := utils.ContentXssCheck(req.Content)
 
+			if e != nil {
 
+				br.Msg = "存在非法标签"
 
+				br.ErrMsg = "存在非法标签, Err: " + e.Error()
 
+				return
 
+			}
 
 			contentClean, e := services.FilterReportContentBr(req.Content)
 
 			if e != nil {
 
 				br.Msg = "内容去除前后空格失败"
 
@@ -2432,7 +2447,12 @@ func (this *ReportController) EditDayWeekChapter() {
 
 	// 更新章节及指标
 
 	contentSub := ""
 
 	if req.Content != "" {
 
-		req.Content = utils.ContentXssFilter(req.Content)
 
+		e := utils.ContentXssCheck(req.Content)
 
+		if e != nil {
 
+			br.Msg = "存在非法标签"
 
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
 
+			return
 
+		}
 
 		contentClean, e := services.FilterReportContentBr(req.Content)
 
 		if e != nil {
 
 			br.Msg = "内容去除前后空格失败"
 
@@ -2904,7 +2924,12 @@ func (this *ReportController) PublishDayWeekReportChapter() {
 
 	// 更新章节信息
 
 	contentSub := ""
 
 	if req.Content != "" {
 
-		req.Content = utils.ContentXssFilter(req.Content)
 
+		e := utils.ContentXssCheck(req.Content)
 
+		if e != nil {
 
+			br.Msg = "存在非法标签"
 
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
 
+			return
 
+		}
 
 		contentClean, e := services.FilterReportContentBr(req.Content)
 
 		if e != nil {
 
 			br.Msg = "内容去除前后空格失败"

+ 6 - 1
services/report.go
Zobrazit soubor 

@@ -937,7 +937,12 @@ func PcCreateAndUploadSunCode(scene, page string) (imgUrl string, err error) {
 
 func CreateNewReport(req models.AddReq, adminInfo *system.Admin) (newReportId int64, reportCode, errMsg string, err error) {
 
 	contentSub := ""
 
 	if req.Content != "" {
 
-		req.Content = utils.ContentXssFilter(req.Content)
 
+		e := utils.ContentXssCheck(req.Content)
 
+		if e != nil {
 
+			errMsg = "存在非法标签"
 
+			err = errors.New("存在非法标签, Err: " + e.Error())
 
+			return
 
+		}
 
 		contentClean, e := FilterReportContentBr(req.Content)
 
 		if e != nil {
 
 			errMsg = "内容去除前后空格失败"

+ 67 - 0
utils/common.go
Zobrazit soubor 

@@ -15,6 +15,7 @@ import (
 
 	"github.com/PuerkitoBio/goquery"
 
 	"github.com/microcosm-cc/bluemonday"
 
 	"github.com/shopspring/decimal"
 
+	xhtml "golang.org/x/net/html"
 
 	"html"
 
 	"image"
 
 	"image/png"
 
@@ -2299,6 +2300,72 @@ func GetColorMap() map[int]string {
 
 	return colorMap
 
 }
 
 
+// 检查src属性是否以http或data:image开头
 
+func isValidSrc(src string) bool {
 
+	validSchemes := regexp.MustCompile(`^(http|https|data:image):[\w\./?%&=]*$`)
 
+	return validSchemes.MatchString(src)
 
+}
 
+
 
+// ContentXssCheck 校验文本中的JS代码
 
+func ContentXssCheck(content string) (err error) {
 
+	// 解析HTML内容
 
+	node, err := xhtml.Parse(strings.NewReader(content))
 
+	if err != nil {
 
+		err = fmt.Errorf(" html.Parse Err: %v", err)
 
+		return
 
+	}
 
+
 
+	// 遍历解析后的节点树,查找特定标签
 
+	var visit func(n *xhtml.Node) error
 
+	visit = func(n *xhtml.Node) error {
 
+		if n.Type == xhtml.ElementNode {
 
+			lowerData := strings.ToLower(n.Data)
 
+			switch lowerData {
 
+			case "script", "javascript":
 
+				err = fmt.Errorf(" script is forbidden")
 
+				return err
 
+			default:
 
+				for _, attr := range n.Attr { //判断事件
 
+					lowerKey := strings.ToLower(attr.Key)
 
+					lowerVal := strings.ToLower(attr.Val)
 
+					if lowerKey == "src" || lowerKey == "dynsrc" || lowerKey == "background" || lowerKey == "lowsrc" {
 
+						if !isValidSrc(lowerVal) {
 
+							err = fmt.Errorf("invalid src attribute value: %s", attr.Val)
 
+							return err
 
+						}
 
+					}
 
+					if strings.HasPrefix(lowerKey, "on") {
 
+						err = fmt.Errorf("the event is forbidden: %s:%s", attr.Key, attr.Val)
 
+						return err
 
+					}
 
+					if lowerKey == "style" {
 
+						if strings.Contains(lowerVal, "javascript:") || strings.Contains(lowerVal, "script:") {
 
+							err = fmt.Errorf("invalid style attribute value: %s", attr.Val)
 
+							return err
 
+						}
 
+					}
 
+				}
 
+				/*	case "src":
 
+					// 如果<src>是某个标签的属性,你可能需要递归检查其父节点
 
+					// 这里简单起见,我们假设<src>不是有效的HTML标签,并忽略它
 
+					// 在实际中,你可能需要更复杂的逻辑来处理这种情况
 
+					fmt.Println("Warning: Unexpected 'src' tag found.")*/
 
+			}
 
+		}
 
+		for c := n.FirstChild; c != nil; c = c.NextSibling {
 
+			if err = visit(c); err != nil {
 
+				return err
 
+			}
 
+		}
 
+		return nil
 
+	}
 
+	// 检查HTML文档中的事件
 
+	if err = visit(node); err != nil {
 
+		return
 
+	}
 
+	return
 
+}
 
+
 
 func ContentXssFilter(content string) (cleanContent string) {
 
 	p := customXssPolicy()
 
 	// The policy can then be used to sanitize lots of input and it is safe to use the policy in multiple goroutines