|
@@ -24,6 +24,7 @@ import (
|
|
|
"math/rand"
|
|
"math/rand"
|
|
|
"net"
|
|
"net"
|
|
|
"net/http"
|
|
"net/http"
|
|
|
|
|
+ "net/url"
|
|
|
"os"
|
|
"os"
|
|
|
"os/exec"
|
|
"os/exec"
|
|
|
"path"
|
|
"path"
|
|
@@ -2346,9 +2347,17 @@ func ByteToMB(byteCount int) float64 {
|
|
|
|
|
|
|
|
// 检查src属性是否以http或data:image开头
|
|
// 检查src属性是否以http或data:image开头
|
|
|
func isValidSrc(src string) bool {
|
|
func isValidSrc(src string) bool {
|
|
|
- validSchemes := regexp.MustCompile(`^(http|https|data:image):[\w\./?%&=]*$`)
|
|
|
|
|
- fmt.Println(validSchemes.MatchString(src))
|
|
|
|
|
- return validSchemes.MatchString(src)
|
|
|
|
|
|
|
+ // 使用Parse函数解析URL
|
|
|
|
|
+ parsedURL, err := url.Parse(src)
|
|
|
|
|
+ if err != nil {
|
|
|
|
|
+ validSchemes := regexp.MustCompile(`^data:image\/.*;base64,.*$`)
|
|
|
|
|
+ return validSchemes.MatchString(src)
|
|
|
|
|
+ }
|
|
|
|
|
+ if parsedURL.Host == "" || (parsedURL.Scheme != "http" && parsedURL.Scheme != "https") {
|
|
|
|
|
+ validSchemes := regexp.MustCompile(`^data:image\/.*;base64,.*$`)
|
|
|
|
|
+ return validSchemes.MatchString(src)
|
|
|
|
|
+ }
|
|
|
|
|
+ return true
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
// ContentXssCheck 校验文本中的JS代码
|
|
// ContentXssCheck 校验文本中的JS代码
|
