Merge remote-tracking branch 'origin/debug' into debug

controllers/english_report/report.go

@@ -65,7 +65,12 @@ func (this *EnglishReportController) Add() {
 
 	var contentSub string
 	if req.Content != "" {
-		req.Content = utils.ContentXssFilter(req.Content)
+		e := utils.ContentXssCheck(req.Content)
+		if e != nil {
+			br.Msg = "存在非法标签"
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
+			return
+		}
 		content, e := services.FilterReportContentBr(req.Content)
 		if e != nil {
 			br.Msg = "内容去除前后空格失败"
@@ -183,7 +188,12 @@ func (this *EnglishReportController) Edit() {
 	}
 	var contentSub string
 	if req.Content != "" {
-		req.Content = utils.ContentXssFilter(req.Content)
+		e := utils.ContentXssCheck(req.Content)
+		if e != nil {
+			br.Msg = "存在非法标签"
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
+			return
+		}
 		content, e := services.FilterReportContentBr(req.Content)
 		if e != nil {
 			br.Msg = "内容去除前后空格失败"
@@ -1015,7 +1025,12 @@ func (this *EnglishReportController) SaveReportContent() {
 			content = this.GetString("Content")
 		}
 		if content != "" {
-			req.Content = utils.ContentXssFilter(req.Content)
+			e := utils.ContentXssCheck(req.Content)
+			if e != nil {
+				br.Msg = "存在非法标签"
+				br.ErrMsg = "存在非法标签, Err: " + e.Error()
+				return
+			}
 			contentClean, e := services.FilterReportContentBr(req.Content)
 			if e != nil {
 				br.Msg = "内容去除前后空格失败"

controllers/report.go

@@ -525,7 +525,12 @@ func (this *ReportController) Add() {
 	}
 	var contentSub string
 	if req.Content != "" {
-		req.Content = utils.ContentXssFilter(req.Content)
+		e := utils.ContentXssCheck(req.Content)
+		if e != nil {
+			br.Msg = "存在非法标签"
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
+			return
+		}
 		content, e := services.FilterReportContentBr(req.Content)
 		if e != nil {
 			br.Msg = "内容去除前后空格失败"
@@ -660,7 +665,12 @@ func (this *ReportController) Edit() {
 	}
 	var contentSub string
 	if req.Content != "" {
-		req.Content = utils.ContentXssFilter(req.Content)
+		e := utils.ContentXssCheck(req.Content)
+		if e != nil {
+			br.Msg = "存在非法标签"
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
+			return
+		}
 		content, e := services.FilterReportContentBr(req.Content)
 		if e != nil {
 			br.Msg = "内容去除前后空格失败"
@@ -1209,7 +1219,12 @@ func (this *ReportController) SaveReportContent() {
 			content = this.GetString("Content")
 		}
 		if content != "" {
-			req.Content = utils.ContentXssFilter(req.Content)
+			e := utils.ContentXssCheck(req.Content)
+			if e != nil {
+				br.Msg = "存在非法标签"
+				br.ErrMsg = "存在非法标签, Err: " + e.Error()
+				return
+			}
 			contentClean, e := services.FilterReportContentBr(req.Content)
 			if e != nil {
 				br.Msg = "内容去除前后空格失败"
@@ -2444,7 +2459,12 @@ func (this *ReportController) EditDayWeekChapter() {
 	// 更新章节及指标
 	contentSub := ""
 	if req.Content != "" {
-		req.Content = utils.ContentXssFilter(req.Content)
+		e := utils.ContentXssCheck(req.Content)
+		if e != nil {
+			br.Msg = "存在非法标签"
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
+			return
+		}
 		contentClean, e := services.FilterReportContentBr(req.Content)
 		if e != nil {
 			br.Msg = "内容去除前后空格失败"
@@ -2916,7 +2936,12 @@ func (this *ReportController) PublishDayWeekReportChapter() {
 	// 更新章节信息
 	contentSub := ""
 	if req.Content != "" {
-		req.Content = utils.ContentXssFilter(req.Content)
+		e := utils.ContentXssCheck(req.Content)
+		if e != nil {
+			br.Msg = "存在非法标签"
+			br.ErrMsg = "存在非法标签, Err: " + e.Error()
+			return
+		}
 		contentClean, e := services.FilterReportContentBr(req.Content)
 		if e != nil {
 			br.Msg = "内容去除前后空格失败"

controllers/user_login.go

@@ -269,19 +269,7 @@ func (this *UserLoginController) Login() {
 	}
 	req.Username = strings.TrimSpace(req.Username)
 	req.Mobile = strings.TrimSpace(req.Mobile)
-	if req.Mobile != "" {
-		if !utils.ValidateMobileFormatat(req.Mobile) {
-			br.Msg = "您的手机号输入有误, 请检查"
-			return
-		}
-	}
 	req.Email = strings.TrimSpace(req.Email)
-	if req.Email != "" {
-		if !utils.ValidateEmailFormatat(req.Email) {
-			br.Msg = "您的邮箱输入有误, 请检查"
-			return
-		}
-	}
 	req.VerifyCode = strings.TrimSpace(req.VerifyCode)
 	if req.LoginType != 1 && req.LoginType != 2 && req.LoginType != 3 {
 		br.Msg = "登录方式有误"

go.mod

@@ -113,7 +113,6 @@ require (
 	github.com/xuri/nfp v0.0.0-20230919160717-d98342af3f05 // indirect
 	golang.org/x/crypto v0.19.0 // indirect
 	golang.org/x/image v0.15.0 // indirect
-	golang.org/x/net v0.21.0 // indirect
 	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect

services/report.go

@@ -952,7 +952,12 @@ func PcCreateAndUploadSunCode(scene, page string) (imgUrl string, err error) {
 func CreateNewReport(req models.AddReq, adminInfo *system.Admin) (newReportId int64, reportCode, errMsg string, err error) {
 	contentSub := ""
 	if req.Content != "" {
-		req.Content = utils.ContentXssFilter(req.Content)
+		e := utils.ContentXssCheck(req.Content)
+		if e != nil {
+			errMsg = "存在非法标签"
+			err = errors.New("存在非法标签, Err: " + e.Error())
+			return
+		}
 		contentClean, e := FilterReportContentBr(req.Content)
 		if e != nil {
 			errMsg = "内容去除前后空格失败"

services/speech_recognition.go

@@ -326,7 +326,7 @@ func MoveSpeechMenu(req speech_recognition.SpeechRecognitionMenuMoveReq) (err er
 		{
 			cond := fmt.Sprintf(` AND %s = ? AND %s = ? AND %s <> ?`, speech_recognition.SpeechRecognitionMenuCols.MenuName, speech_recognition.SpeechRecognitionMenuCols.ParentId, speech_recognition.SpeechRecognitionMenuCols.SpeechRecognitionMenuId)
 			pars := make([]interface{}, 0)
-			pars = append(pars, parentMenuId, speechMenu.MenuName, menuId)
+			pars = append(pars, speechMenu.MenuName, parentMenuId, menuId)
 			exists, e := menuOb.GetItemByCondition(cond, pars, "")
 			if e != nil && e.Error() != utils.ErrNoRow() {
 				errMsg = "移动失败"
@@ -827,7 +827,7 @@ func MoveSpeechTagMenu(req speech_recognition.SpeechRecognitionTagMenuMoveReq) (
 		{
 			cond := fmt.Sprintf(` AND %s = ? AND %s = ? AND %s <> ?`, speech_recognition.SpeechRecognitionTagMenuCols.MenuName, speech_recognition.SpeechRecognitionTagMenuCols.ParentId, speech_recognition.SpeechRecognitionTagMenuCols.SpeechRecognitionTagMenuId)
 			pars := make([]interface{}, 0)
-			pars = append(pars, parentMenuId, tagMenu.MenuName, menuId)
+			pars = append(pars, tagMenu.MenuName, parentMenuId, menuId)
 			exists, e := menuOb.GetItemByCondition(cond, pars, "")
 			if e != nil && e.Error() != utils.ErrNoRow() {
 				errMsg = "移动失败"

utils/common.go

@@ -15,6 +15,7 @@ import (
 	"github.com/PuerkitoBio/goquery"
 	"github.com/microcosm-cc/bluemonday"
 	"github.com/shopspring/decimal"
+	xhtml "golang.org/x/net/html"
 	"html"
 	"image"
 	"image/png"
@@ -2350,6 +2351,66 @@ func isValidSrc(src string) bool {
 	return validSchemes.MatchString(src)
 }
 
+// ContentXssCheck 校验文本中的JS代码
+func ContentXssCheck(content string) (err error) {
+	// 解析HTML内容
+	node, err := xhtml.Parse(strings.NewReader(content))
+	if err != nil {
+		err = fmt.Errorf(" html.Parse Err: %v", err)
+		return
+	}
+
+	// 遍历解析后的节点树，查找特定标签
+	var visit func(n *xhtml.Node) error
+	visit = func(n *xhtml.Node) error {
+		if n.Type == xhtml.ElementNode {
+			lowerData := strings.ToLower(n.Data)
+			switch lowerData {
+			case "script", "javascript":
+				err = fmt.Errorf(" script is forbidden")
+				return err
+			default:
+				for _, attr := range n.Attr { //判断事件
+					lowerKey := strings.ToLower(attr.Key)
+					lowerVal := strings.ToLower(attr.Val)
+					if lowerKey == "src" || lowerKey == "dynsrc" || lowerKey == "background" || lowerKey == "lowsrc" {
+						if !isValidSrc(lowerVal) {
+							err = fmt.Errorf("invalid src attribute value: %s", attr.Val)
+							return err
+						}
+					}
+					if strings.HasPrefix(lowerKey, "on") {
+						err = fmt.Errorf("the event is forbidden: %s:%s", attr.Key, attr.Val)
+						return err
+					}
+					if lowerKey == "style" {
+						if strings.Contains(lowerVal, "javascript:") || strings.Contains(lowerVal, "script:") {
+							err = fmt.Errorf("invalid style attribute value: %s", attr.Val)
+							return err
+						}
+					}
+				}
+				/*	case "src":
+					// 如果<src>是某个标签的属性，你可能需要递归检查其父节点
+					// 这里简单起见，我们假设<src>不是有效的HTML标签，并忽略它
+					// 在实际中，你可能需要更复杂的逻辑来处理这种情况
+					fmt.Println("Warning: Unexpected 'src' tag found.")*/
+			}
+		}
+		for c := n.FirstChild; c != nil; c = c.NextSibling {
+			if err = visit(c); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	// 检查HTML文档中的事件
+	if err = visit(node); err != nil {
+		return
+	}
+	return
+}
+
 func ContentXssFilter(content string) (cleanContent string) {
 	p := customXssPolicy()
 	// The policy can then be used to sanitize lots of input and it is safe to use the policy in multiple goroutines