Merge branch 'cherry-pick-cc9113ed' into 'develop'

Merge branch 'hotfix/html注入安全性修复' into 'master' See merge request o2oa/o2oa!2623

Merge branch 'cherry-pick-cc9113ed' into 'develop'
Merge branch 'hotfix/html注入安全性修复' into 'master' See merge request o2oa/o2oa!2623
709d6893 · NoSubject · cac1e731 · 97a29ff8 · 709d6893 · 709d6893
5 changed file
--- a/o2web/source/o2_core/o2/xDesktop/Actions/RestActions.js
+++ b/o2web/source/o2_core/o2/xDesktop/Actions/RestActions.js
@@ -495,7 +495,7 @@ MWF.xDesktop.Actions.RestActions = new Class({
            var msg = {
                "subject": MWF.LP.desktop.action.uploadTitle,
                //"content": MWF.LP.desktop.action.uploadTitle+" : "+file.name+"<br/>"+contentHTML
-                "content": ( file.name ? (file.name+"<br/>") : "" )+contentHTML
+                "content": ( file.name ? (o2.txt(file.name)+"<br/>") : "" )+contentHTML
            };

            var messageItem = layout.desktop.message.addMessage(msg);
@@ -504,7 +504,7 @@ MWF.xDesktop.Actions.RestActions = new Class({
            messageItem.close = function(callback, e){
                if (this.status=="progress"){
                    var flag = false;
-                    var name = (file.name||"");
+                    var name = o2.txt(file.name||"");
                    name = name.length > 50 ? name.substr(0, 50)+"..." : name;
                    var text = MWF.LP.desktop.action.cancelUpload.replace(/{name}/g, (name));
                    MWF.xDesktop.confirm("wram", e, MWF.LP.desktop.action.cancelUploadTitle, text, "400", "180", function(){

--- a/o2web/source/o2_core/o2/xDesktop/Authentication.js
+++ b/o2web/source/o2_core/o2/xDesktop/Authentication.js
@@ -1816,8 +1816,8 @@ MWF.xDesktop.Authentication.ResetPasswordForm = new Class({
                    name: {
                        text: this.lp.userName, defaultValue: this.lp.userName, className: "inputUser",
                        notEmpty: true, defaultValueAsEmpty: true, emptyTip: this.lp.inputYourUserName,
-                        validRule: { isInvalid: function (value, it) { return this.checkUserName(value, it); }.bind(this) },
-                        validMessage: { isInvalid: this.lp.userNotExist },
+                        // validRule: { isInvalid: function (value, it) { return this.checkUserName(value, it); }.bind(this) },
+                        // validMessage: { isInvalid: this.lp.userNotExist },
                        event: {
                            focus: function (it) { if (this.lp.userName === it.getValue()) it.setValue(""); if (!it.warningStatus) it.getElements()[0].setStyles(this.css.inputActive); }.bind(this),
                            blur: function (it) { if (it.getValue() === "") it.setValue(this.lp.userName); if (!it.warningStatus) it.getElements()[0].setStyles(this.css.inputUser); }.bind(this),

--- a/o2web/source/x_component_Org/List.js
+++ b/o2web/source/x_component_Org/List.js
@@ -38,7 +38,7 @@ MWF.xApplication.Org.List = new Class({
        var html = "<table cellspacing='0' cellpadding='5' border='0' width='80%' align='center' style='line-height:normal; clear: both;'>";
        html += "<tr><th style='width:20px'></th>";
        headers.each(function(title){
-            html += "<th style='"+title.style+"'>"+title.text+"</th>";
+            html += "<th style='"+title.style+"'>"+o2.txt(title.text)+"</th>";
        }.bind(this));
        html += "</table>";
        this.contentNode.set("html", html);
@@ -176,7 +176,7 @@ MWF.xApplication.Org.List.Item = new Class({
                    }else{
                        var v = this.data[at];
                        if (typeOf(v)==="array") v = v.join(",");
-                        td.set("text", v);
+                        td.set("text", o2.txt(v) );
                    }
                }else{
                    td.set("text", "");
@@ -209,7 +209,7 @@ MWF.xApplication.Org.List.Item = new Class({
                if (n==="icon"){
                    rows.push("<div>cc</div>");
                }else{
-                    rows.push(this.data[n]);
+                    rows.push(typeOf(this.data[n])==='string' ? o2.txt(this.data[n]) : this.data[n]);
                }
            }else{
                rows.push("");

--- a/o2web/source/x_component_Org/PersonExplorer.js
+++ b/o2web/source/x_component_Org/PersonExplorer.js
@@ -345,7 +345,7 @@ MWF.xApplication.Org.PersonExplorer.PersonContent = new Class({
                }
            }, {
                "getHtml": function(){
-                    return "<div style='word-break: break-word;'>"+this.distinguishedName+"</div>";
+                    return "<div style='word-break: break-word;'>"+o2.txt(this.distinguishedName)+"</div>";
                },
                //"get": function(){ return this.distinguishedName; },
                "set": function(value){ this.distinguishedName = value; }

--- a/o2web/source/x_component_cms_Xform/Form.js
+++ b/o2web/source/x_component_cms_Xform/Form.js
@@ -1126,7 +1126,7 @@ MWF.xApplication.cms.Xform.Form = MWF.CMSForm = new Class(
            if (!flag) flag = MWF.xApplication.cms.Xform.LP.notValidation;
            if (typeOf(flag) === "string") {
                if (flag !== "true") {
-                    this.app.notice(flag, "error");
+                    this.app.notice(o2.txt(flag), "error");
                    return false;
                }
            } else if (flag.toString() != "true") {
@@ -1141,7 +1141,7 @@ MWF.xApplication.cms.Xform.Form = MWF.CMSForm = new Class(
            if (!flag) flag = MWF.xApplication.cms.Xform.LP.notValidation;
            if (typeOf(flag) === "string") {
                if (flag !== "true") {
-                    this.app.notice(flag, "error");
+                    this.app.notice(o2.txt(flag), "error");
                    return false;
                }
            } else if (flag.toString() != "true") {
@@ -1219,7 +1219,7 @@ MWF.xApplication.cms.Xform.Form = MWF.CMSForm = new Class(
                    this.closeWindowOnMobile();
                } else {
                    if (this.businessData.document.title) {
-                        this.app.notice(MWF.xApplication.cms.Xform.LP.documentDelayedPublished + ": “" + this.businessData.document.title + "”", "success");
+                        this.app.notice(MWF.xApplication.cms.Xform.LP.documentDelayedPublished + ": “" + o2.txt(this.businessData.document.title) + "”", "success");
                    } else {
                        this.app.notice(MWF.xApplication.cms.Xform.LP.documentDelayedPublished, "success");
                    }
@@ -1293,7 +1293,7 @@ MWF.xApplication.cms.Xform.Form = MWF.CMSForm = new Class(
                    } else {
                        if( slience !== true ){
                            if (this.businessData.document.title) {
-                                this.app.notice(MWF.xApplication.cms.Xform.LP.documentPublished + ": “" + this.businessData.document.title + "”", "success");
+                                this.app.notice(MWF.xApplication.cms.Xform.LP.documentPublished + ": “" + o2.txt(this.businessData.document.title ) + "”", "success");
                            } else {
                                this.app.notice(MWF.xApplication.cms.Xform.LP.documentPublished, "success");
                            }
@@ -1427,7 +1427,7 @@ MWF.xApplication.cms.Xform.Form = MWF.CMSForm = new Class(
                this.documentAction.removeDocument(this.businessData.document.id, function (json) {
                    this.fireEvent("afterDelete");
                    if (this.app && this.app.fireEvent) this.app.fireEvent("afterDelete");
-                    this.app.notice(MWF.xApplication.cms.Xform.LP.documentDelete + ": “" + this.businessData.document.title + "”", "success");
+                    this.app.notice(MWF.xApplication.cms.Xform.LP.documentDelete + ": “" + o2.txt(this.businessData.document.title) + "”", "success");
                    this.options.autoSave = false;
                    this.options.saveOnClose = false;
                    this.fireEvent("postDelete");
@@ -1473,7 +1473,7 @@ MWF.xApplication.cms.Xform.Form = MWF.CMSForm = new Class(
                        debugger;
                        _self.fireEvent("afterDelete");
                        if (_self.app && _self.app.fireEvent) _self.app.fireEvent("afterDelete");
-                        _self.app.notice(MWF.xApplication.cms.Xform.LP.documentDelete + ": “" + _self.businessData.document.title + "”", "success");
+                        _self.app.notice(MWF.xApplication.cms.Xform.LP.documentDelete + ": “" + o2.txt(_self.businessData.document.title) + "”", "success");
                        _self.options.autoSave = false;
                        _self.options.saveOnClose = false;
                        _self.fireEvent("postDelete");