修补xss攻击漏洞，对用户编辑数据进行了处理

app/appfront/modules/Catalogsearch/block/index/Index.php

@@ -364,6 +364,7 @@ class Index {
 		//$category 	= Yii::$service->category->getByPrimaryKey($primaryVal);
 		//$this->_category = $category ;
 		$searchText = Yii::$app->request->get('q');
+		$searchText = \yii\helpers\Html::encode($searchText);
 		$this->_searchText = $searchText;
 		$search_page_title_format 			= Yii::$app->controller->module->params['search_page_title_format'];
 		$search_page_meta_keywords_format 	= Yii::$app->controller->module->params['search_page_meta_keywords_format'];

app/appfront/modules/Checkout/block/onepage/Index.php

@@ -116,7 +116,7 @@ class Index {
 		}
 		$this->_address = $address_info;
 		$this->_address_list = Yii::$service->customer->address->currentAddressList();
-		//var_dump($this->_address_list);
+		//var_dump($this->_address_list); 
 		# 如果购物车存在customer_address_id，而且用户地址中也存在customer_address_id
 		# 则执行if{}内代码。
 		if($address_id && isset($this->_address_list[$address_id]) && !empty($this->_address_list[$address_id])){
@@ -251,6 +251,7 @@ class Index {
 	 */
 	public function ajaxChangecountry(){
 		$country = Yii::$app->request->get('country');
+		$country = \yii\helpers\Html::encode($country);
 		$state = $this->initState($country);
 		echo json_encode([
 			'state' => $this->_stateHtml,
@@ -472,6 +473,10 @@ class Index {
 		$shipping_method 	= Yii::$app->request->get('shipping_method');
 		$address_id 		= Yii::$app->request->get('address_id');
 		$state 				= Yii::$app->request->get('state');
+		$country			= \yii\helpers\Html::encode($country);
+		$shipping_method	= \yii\helpers\Html::encode($shipping_method);
+		$address_id			= \yii\helpers\Html::encode($address_id);
+		$state				= \yii\helpers\Html::encode($state);
 		if($address_id){
 			$this->_address_id = $address_id;
 			$addressModel = Yii::$service->customer->address->getByPrimaryKey($this->_address_id);

app/appfront/modules/Checkout/block/onepage/Placeorder.php

@@ -33,6 +33,9 @@ class Placeorder{
 	public function getLastData(){
 		$post = Yii::$app->request->post();
 		if(is_array($post) && !empty($post)){
+			foreach($post as $k=>$v){
+				$post[$k] = \yii\helpers\Html::encode($v);;
+			}
 			# 检查前台传递的数据的完整性
 			if($this->checkOrderInfoAndInit($post)){
 				# 如果游客用户勾选了注册账号，则注册，登录，并把地址写入到用户的address中

app/appfront/modules/Checkout/controllers/CartController.php

@@ -31,6 +31,9 @@ class CartController extends AppfrontController
 		$custom_option 	= Yii::$app->request->post('custom_option');
 		$product_id 	= Yii::$app->request->post('product_id');
 		$qty 			= Yii::$app->request->post('qty');
+		$custom_option  = \yii\helpers\Html::encode($custom_option);
+		$product_id  	= \yii\helpers\Html::encode($product_id);
+		$qty  			= \yii\helpers\Html::encode($qty);
 		$qty  = abs(ceil((int)$qty));
 		if($qty  && $product_id){
 			if($custom_option){
@@ -79,7 +82,7 @@ class CartController extends AppfrontController
 			exit;
 		}
 		$coupon_code = trim(Yii::$app->request->post('coupon_code'));
-		
+		$coupon_code = \yii\helpers\Html::encode($coupon_code);
 		if($coupon_code){
 			Yii::$service->cart->coupon->addCoupon($coupon_code);
 			$error_arr = Yii::$service->helper->errors->get(true);

app/appfront/modules/Customer/block/address/Edit.php

@@ -27,6 +27,9 @@ class Edit {
 		$address = Yii::$app->request->post('address');
 		$isSave = 0;
 		if(is_array($address) && !empty($address)){
+			foreach($address as $k => $v){
+				$address[$k] = \yii\helpers\Html::encode($v);
+			}
 			$this->save($address);
 			$isSave = 1;
 		}

app/appfront/modules/Customer/block/contacts/Index.php

@@ -35,6 +35,11 @@ class Index {
 		
 		
 		$editForm 	= Yii::$app->request->post('editForm');
+		if(is_array($editForm) && !empty($editForm)){
+			foreach($editForm as $k=>$v){
+				$editForm[$k] = \yii\helpers\Html::encode($v);
+			}
+		}
 		$name 		= isset($editForm['name']) ? $editForm['name'] : '';
 		$email		= isset($editForm['email']) ? $editForm['email'] : '';
 		$telephone	= isset($editForm['telephone']) ? $editForm['telephone'] : '';
@@ -87,6 +92,7 @@ class Index {
 		}
 		
 		$captcha = Yii::$app->request->post('sercrity_code');
+		$captcha = \yii\helpers\Html::encode($captcha);
 		$contacts = Yii::$app->getModule("customer")->params['contacts'];
 		$contactsCaptcha = isset($contacts['contactsCaptcha']) ? $contacts['contactsCaptcha'] : false;
 		

app/appfront/modules/Customer/block/editaccount/Index.php

@@ -31,62 +31,66 @@ class Index {
 	 * 保存修改后的用户信息。
 	 */
 	public function saveAccount($editForm){
-		
-		$identity = Yii::$app->user->identity;
-		$firstname 			= $editForm['firstname'] ? $editForm['firstname'] : '';
-		$lastname 			= $editForm['lastname'] ? $editForm['lastname'] : '';
-		$current_password 	= $editForm['current_password'] ? $editForm['current_password'] : '';
-		$password 			= $editForm['password'] ? $editForm['password'] : '';
-		$confirmation 		= $editForm['confirmation'] ? $editForm['confirmation'] : '';
-		$change_password 	= $editForm['change_password'] ? $editForm['change_password'] : '';
-		
-		
-		if(!$firstname || !$lastname){
-			Yii::$service->page->message->addError('first name and last name can not empty');
-			return;
-		}
-		
-		if($change_password){
-			if(!$current_password){
-				Yii::$service->page->message->addError('current password can not empty');
-				return;
+		if(is_array($editForm) && !empty($editForm)){
+			foreach($editForm as $k=>$v){
+				$editForm[$k] = \yii\helpers\Html::encode($v);
 			}
+			$identity = Yii::$app->user->identity;
+			$firstname 			= $editForm['firstname'] ? $editForm['firstname'] : '';
+			$lastname 			= $editForm['lastname'] ? $editForm['lastname'] : '';
+			$current_password 	= $editForm['current_password'] ? $editForm['current_password'] : '';
+			$password 			= $editForm['password'] ? $editForm['password'] : '';
+			$confirmation 		= $editForm['confirmation'] ? $editForm['confirmation'] : '';
+			$change_password 	= $editForm['change_password'] ? $editForm['change_password'] : '';
 			
-			if(!$password || !$confirmation){
-				Yii::$service->page->message->addError('password and confirmation password can not empty');
-				return;
-			}
 			
-			if($password != $confirmation){
-				Yii::$service->page->message->addError('password and confirmation password  must be equal');
+			if(!$firstname || !$lastname){
+				Yii::$service->page->message->addError('first name and last name can not empty');
 				return;
 			}
 			
-			if(!$identity->validatePassword($current_password)){
-				Yii::$service->page->message->addError('Current password is not right,If you forget your password, you can retrieve your password by forgetting your password in login page');
-				return;
+			if($change_password){
+				if(!$current_password){
+					Yii::$service->page->message->addError('current password can not empty');
+					return;
+				}
+				
+				if(!$password || !$confirmation){
+					Yii::$service->page->message->addError('password and confirmation password can not empty');
+					return;
+				}
+				
+				if($password != $confirmation){
+					Yii::$service->page->message->addError('password and confirmation password  must be equal');
+					return;
+				}
+				
+				if(!$identity->validatePassword($current_password)){
+					Yii::$service->page->message->addError('Current password is not right,If you forget your password, you can retrieve your password by forgetting your password in login page');
+					return;
+				}
+				$identity->password =  $password;
 			}
-			$identity->password =  $password;
-		}
-		$identity->firstname =  $firstname;
-		$identity->lastname  =  $lastname;
-		
-		if($identity->validate()){
-			$identity->save();
-			Yii::$service->page->message->addCorrect('edit account info success');
-			return true;
-		}else{
-			$errors = $identity->errors;
-			if(is_array($errors) && !empty($errors)){
-				foreach($errors as $error){
-					if(is_array($error) && !empty($error)){
-						foreach($error as $er){
-							Yii::$service->page->message->addError($er);
+			$identity->firstname =  $firstname;
+			$identity->lastname  =  $lastname;
+			
+			if($identity->validate()){
+				$identity->save();
+				Yii::$service->page->message->addCorrect('edit account info success');
+				return true;
+			}else{
+				$errors = $identity->errors;
+				if(is_array($errors) && !empty($errors)){
+					foreach($errors as $error){
+						if(is_array($error) && !empty($error)){
+							foreach($error as $er){
+								Yii::$service->page->message->addError($er);
+							}
 						}
 					}
-				}
-			} 
-			
+				} 
+				
+			}
 		}
 	}
 	

app/appfront/modules/Customer/block/newsletter/Index.php

@@ -20,6 +20,7 @@ class Index {
 	
 	public function getLastData(){
 		$email = Yii::$app->request->get('email');
+		$email = \yii\helpers\Html::encode($email);
 		$status = Yii::$service->customer->newsletter->subscribe($email);
 		$message = Yii::$service->helper->errors->get();
 		if(!$message){

app/appfront/modules/Customer/controllers/AccountController.php

@@ -62,7 +62,11 @@ class AccountController extends AppfrontController
 	public function actionRegister()
     {
 		$param = Yii::$app->request->post('editForm');
-		if(!empty($param)){
+		
+		if(!empty($param) && is_array($param)){
+			foreach($param as $k => $v){
+				$param[$k] = \yii\helpers\Html::encode($v);
+			}
 			$registerStatus = $this->getBlock()->register($param);
 			//echo $registerStatus;exit;
 			if($registerStatus){
@@ -96,6 +100,7 @@ class AccountController extends AppfrontController
 		}
 		if($rt){
 			$redirectUrl = base64_decode($rt);
+			$redirectUrl = \yii\helpers\Html::encode($redirectUrl);
 			//exit;
 			Yii::$service->url->redirect($redirectUrl);
 		}else{

app/appfront/modules/Payment/block/paypal/express/Placeorder.php

@@ -35,6 +35,9 @@ class Placeorder {
 	public function getLastData(){
 		$post = Yii::$app->request->post();
 		if(is_array($post) && !empty($post)){
+			foreach($post as $k=>$v){
+				$post[$k] = \yii\helpers\Html::encode($v);
+			}
 			# 设置paypal快捷支付
 			$post['payment_method'] = Yii::$service->payment->paypal->express_payment_method;
 			# 检查前台传递的数据的完整性

app/appfront/modules/Payment/block/paypal/express/Review.php

@@ -226,6 +226,7 @@ class Review {
 	 */
 	public function ajaxChangecountry(){
 		$country = Yii::$app->request->get('country');
+		$country = \yii\helpers\Html::encode($country);
 		$state = $this->initState($country);
 		echo json_encode([
 			'state' => $this->_stateHtml,

app/appfront/modules/Payment/controllers/paypal/StandardController.php

@@ -34,7 +34,13 @@ class StandardController extends AppfrontController
 	
 	
 	public function actionIpn(){
-		Yii::$service->payment->paypal->receiveIpn();
+		$post = Yii::$app->request->post();
+		if(is_array($post) && !empty($post)){
+			foreach($post as $k=>$v){
+				$post[$k] = \yii\helpers\Html::encode($v);
+			}
+			Yii::$service->payment->paypal->receiveIpn($post);
+		}
 	}
 	
 	public function actionCancel(){

app/appfront/theme/base/front/catalog/category/index/filter/refineby.php

@@ -3,8 +3,8 @@
 		<div class="filter_attr_title"><?= Yii::$service->page->translate->__('Refine By'); ?></div>
 		<div class="filter_refine_by_content">
 		<?php foreach($parentThis['refine_by_info'] as $one){  ?>
-			<?php $name = $one['name'];  ?>
-			<?php $url 	= $one['url']; ?>
+			<?php $name = \yii\helpers\Html::encode($one['name']);  ?>
+			<?php $url 	= \yii\helpers\Html::encode($one['url']); ?>
 			<div><a href="<?= $url ?>"><i class="closeBtn c_tagbg"></i><span><?= Yii::$service->page->translate->__($name); ?></span></a></div>
 		<?php } ?>
 		</div>

app/appfront/theme/base/front/widgets/topsearch.php

 <form method="get" name="searchFrom" class="js_topSeachForm" action="<?= Yii::$service->url->getUrl('catalogsearch/index');   ?>">
 	<div class="top_seachBox">
 		<div class="searchInput fl">
-			<input type="text"  value="<?=  Yii::$app->request->get('q');  ?>" maxlength="150" placeholder="<?= Yii::$service->page->translate->__('Products keyword'); ?>" class="searchArea js_k2 ac_input" name="q">
+			<input type="text"  value="<?=  \yii\helpers\Html::encode(Yii::$app->request->get('q'));  ?>" maxlength="150" placeholder="<?= Yii::$service->page->translate->__('Products keyword'); ?>" class="searchArea js_k2 ac_input" name="q">
 		</div>
 		<button class="fl js_topSearch seachBtn" type="submit"><span class="t_hidden">search</span></button>
 		<!-- <input type="hidden" class="category" value="0" name="category"> -->

services/payment/Paypal.php

@@ -60,8 +60,8 @@ class Paypal extends Service
 	 * 进而fecshop更改订单状态。
 	 * fecshop一方面验证消息是否由paypal发出，另一方面要验证订单是否和后台的一致。
 	 */
-	public function receiveIpn(){
-		if($this->verifySecurity()){
+	public function receiveIpn($post){
+		if($this->verifySecurity($post)){
 			# 验证数据是否已经发送
 			if($this->isNotDuplicate()){
 				# 验证数据是否被篡改。
@@ -83,8 +83,9 @@ class Paypal extends Service
 	 * 因此，fecshop将接收到的参数传递给paypal，询问paypal是否是paypal
 	 * 发送的IPN消息，如果是，则返回VERIFIED。
 	 */
-	protected function verifySecurity(){
-		$this->_postData = Yii::$app->request->post();
+	protected function verifySecurity($post){
+		
+		$this->_postData = $post;
 		Yii::$service->payment->setPaymentMethod('paypal_standard');
 		$verifyUrl = $this->getVerifyUrl();
 		$verifyReturn = $this->curlGet($verifyUrl);
@@ -508,6 +509,7 @@ class Paypal extends Service
 	 */
 	public function setExpressToken(){
 		$token = Yii::$app->request->get('token');
+		$token = \yii\helpers\Html::encode($token);
 		if($token){
 			Yii::$app->session->set(self::EXPRESS_TOKEN,$token);
 			return true;
@@ -519,6 +521,7 @@ class Paypal extends Service
 	 */
 	public function setExpressPayerID(){
 		$PayerID = Yii::$app->request->get('PayerID');
+		$PayerID = \yii\helpers\Html::encode($PayerID);
 		if($PayerID){
 			Yii::$app->session->set(self::EXPRESS_PAYER_ID,$PayerID);
 			return true;