From 28a77f7704a6e9fec4dbedb0e87e1f1297a7d4c1 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 14 Apr 2017 17:47:23 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E8=A1=A5xss=E6=94=BB=E5=87=BB?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E=EF=BC=8C=E5=AF=B9=E7=94=A8=E6=88=B7=E7=BC=96?= =?UTF-8?q?=E8=BE=91=E6=95=B0=E6=8D=AE=E8=BF=9B=E8=A1=8C=E4=BA=86=E5=A4=84?= =?UTF-8?q?=E7=90=86?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Catalogsearch/block/index/Index.php | 1 + .../modules/Checkout/block/onepage/Index.php | 7 +- .../Checkout/block/onepage/Placeorder.php | 3 + .../Checkout/controllers/CartController.php | 5 +- .../modules/Customer/block/address/Edit.php | 3 + .../modules/Customer/block/contacts/Index.php | 6 ++ .../Customer/block/editaccount/Index.php | 98 ++++++++++--------- .../Customer/block/newsletter/Index.php | 1 + .../controllers/AccountController.php | 7 +- .../block/paypal/express/Placeorder.php | 3 + .../Payment/block/paypal/express/Review.php | 1 + .../controllers/paypal/StandardController.php | 8 +- .../category/index/filter/refineby.php | 4 +- .../theme/base/front/widgets/topsearch.php | 2 +- services/payment/Paypal.php | 11 ++- 15 files changed, 102 insertions(+), 58 deletions(-) diff --git a/app/appfront/modules/Catalogsearch/block/index/Index.php b/app/appfront/modules/Catalogsearch/block/index/Index.php index 1f211373..d72a42f9 100644 --- a/app/appfront/modules/Catalogsearch/block/index/Index.php +++ b/app/appfront/modules/Catalogsearch/block/index/Index.php @@ -364,6 +364,7 @@ class Index { //$category = Yii::$service->category->getByPrimaryKey($primaryVal); //$this->_category = $category ; $searchText = Yii::$app->request->get('q'); + $searchText = \yii\helpers\Html::encode($searchText); $this->_searchText = $searchText; $search_page_title_format = Yii::$app->controller->module->params['search_page_title_format']; $search_page_meta_keywords_format = Yii::$app->controller->module->params['search_page_meta_keywords_format']; diff --git a/app/appfront/modules/Checkout/block/onepage/Index.php b/app/appfront/modules/Checkout/block/onepage/Index.php index 2f6665b8..14876fff 100644 --- a/app/appfront/modules/Checkout/block/onepage/Index.php +++ b/app/appfront/modules/Checkout/block/onepage/Index.php @@ -116,7 +116,7 @@ class Index { } $this->_address = $address_info; $this->_address_list = Yii::$service->customer->address->currentAddressList(); - //var_dump($this->_address_list); + //var_dump($this->_address_list); # 如果购物车存在customer_address_id,而且用户地址中也存在customer_address_id # 则执行if{}内代码。 if($address_id && isset($this->_address_list[$address_id]) && !empty($this->_address_list[$address_id])){ @@ -251,6 +251,7 @@ class Index { */ public function ajaxChangecountry(){ $country = Yii::$app->request->get('country'); + $country = \yii\helpers\Html::encode($country); $state = $this->initState($country); echo json_encode([ 'state' => $this->_stateHtml, @@ -472,6 +473,10 @@ class Index { $shipping_method = Yii::$app->request->get('shipping_method'); $address_id = Yii::$app->request->get('address_id'); $state = Yii::$app->request->get('state'); + $country = \yii\helpers\Html::encode($country); + $shipping_method = \yii\helpers\Html::encode($shipping_method); + $address_id = \yii\helpers\Html::encode($address_id); + $state = \yii\helpers\Html::encode($state); if($address_id){ $this->_address_id = $address_id; $addressModel = Yii::$service->customer->address->getByPrimaryKey($this->_address_id); diff --git a/app/appfront/modules/Checkout/block/onepage/Placeorder.php b/app/appfront/modules/Checkout/block/onepage/Placeorder.php index 70f554f7..d6e71aef 100644 --- a/app/appfront/modules/Checkout/block/onepage/Placeorder.php +++ b/app/appfront/modules/Checkout/block/onepage/Placeorder.php @@ -33,6 +33,9 @@ class Placeorder{ public function getLastData(){ $post = Yii::$app->request->post(); if(is_array($post) && !empty($post)){ + foreach($post as $k=>$v){ + $post[$k] = \yii\helpers\Html::encode($v);; + } # 检查前台传递的数据的完整性 if($this->checkOrderInfoAndInit($post)){ # 如果游客用户勾选了注册账号,则注册,登录,并把地址写入到用户的address中 diff --git a/app/appfront/modules/Checkout/controllers/CartController.php b/app/appfront/modules/Checkout/controllers/CartController.php index 4dc120d3..5ce7b596 100644 --- a/app/appfront/modules/Checkout/controllers/CartController.php +++ b/app/appfront/modules/Checkout/controllers/CartController.php @@ -31,6 +31,9 @@ class CartController extends AppfrontController $custom_option = Yii::$app->request->post('custom_option'); $product_id = Yii::$app->request->post('product_id'); $qty = Yii::$app->request->post('qty'); + $custom_option = \yii\helpers\Html::encode($custom_option); + $product_id = \yii\helpers\Html::encode($product_id); + $qty = \yii\helpers\Html::encode($qty); $qty = abs(ceil((int)$qty)); if($qty && $product_id){ if($custom_option){ @@ -79,7 +82,7 @@ class CartController extends AppfrontController exit; } $coupon_code = trim(Yii::$app->request->post('coupon_code')); - + $coupon_code = \yii\helpers\Html::encode($coupon_code); if($coupon_code){ Yii::$service->cart->coupon->addCoupon($coupon_code); $error_arr = Yii::$service->helper->errors->get(true); diff --git a/app/appfront/modules/Customer/block/address/Edit.php b/app/appfront/modules/Customer/block/address/Edit.php index 3784c0c8..11dad785 100644 --- a/app/appfront/modules/Customer/block/address/Edit.php +++ b/app/appfront/modules/Customer/block/address/Edit.php @@ -27,6 +27,9 @@ class Edit { $address = Yii::$app->request->post('address'); $isSave = 0; if(is_array($address) && !empty($address)){ + foreach($address as $k => $v){ + $address[$k] = \yii\helpers\Html::encode($v); + } $this->save($address); $isSave = 1; } diff --git a/app/appfront/modules/Customer/block/contacts/Index.php b/app/appfront/modules/Customer/block/contacts/Index.php index 5b8cb9d0..e7c5df63 100644 --- a/app/appfront/modules/Customer/block/contacts/Index.php +++ b/app/appfront/modules/Customer/block/contacts/Index.php @@ -35,6 +35,11 @@ class Index { $editForm = Yii::$app->request->post('editForm'); + if(is_array($editForm) && !empty($editForm)){ + foreach($editForm as $k=>$v){ + $editForm[$k] = \yii\helpers\Html::encode($v); + } + } $name = isset($editForm['name']) ? $editForm['name'] : ''; $email = isset($editForm['email']) ? $editForm['email'] : ''; $telephone = isset($editForm['telephone']) ? $editForm['telephone'] : ''; @@ -87,6 +92,7 @@ class Index { } $captcha = Yii::$app->request->post('sercrity_code'); + $captcha = \yii\helpers\Html::encode($captcha); $contacts = Yii::$app->getModule("customer")->params['contacts']; $contactsCaptcha = isset($contacts['contactsCaptcha']) ? $contacts['contactsCaptcha'] : false; diff --git a/app/appfront/modules/Customer/block/editaccount/Index.php b/app/appfront/modules/Customer/block/editaccount/Index.php index fc59b61d..ff156c62 100644 --- a/app/appfront/modules/Customer/block/editaccount/Index.php +++ b/app/appfront/modules/Customer/block/editaccount/Index.php @@ -31,62 +31,66 @@ class Index { * 保存修改后的用户信息。 */ public function saveAccount($editForm){ - - $identity = Yii::$app->user->identity; - $firstname = $editForm['firstname'] ? $editForm['firstname'] : ''; - $lastname = $editForm['lastname'] ? $editForm['lastname'] : ''; - $current_password = $editForm['current_password'] ? $editForm['current_password'] : ''; - $password = $editForm['password'] ? $editForm['password'] : ''; - $confirmation = $editForm['confirmation'] ? $editForm['confirmation'] : ''; - $change_password = $editForm['change_password'] ? $editForm['change_password'] : ''; - - - if(!$firstname || !$lastname){ - Yii::$service->page->message->addError('first name and last name can not empty'); - return; - } - - if($change_password){ - if(!$current_password){ - Yii::$service->page->message->addError('current password can not empty'); - return; + if(is_array($editForm) && !empty($editForm)){ + foreach($editForm as $k=>$v){ + $editForm[$k] = \yii\helpers\Html::encode($v); } + $identity = Yii::$app->user->identity; + $firstname = $editForm['firstname'] ? $editForm['firstname'] : ''; + $lastname = $editForm['lastname'] ? $editForm['lastname'] : ''; + $current_password = $editForm['current_password'] ? $editForm['current_password'] : ''; + $password = $editForm['password'] ? $editForm['password'] : ''; + $confirmation = $editForm['confirmation'] ? $editForm['confirmation'] : ''; + $change_password = $editForm['change_password'] ? $editForm['change_password'] : ''; - if(!$password || !$confirmation){ - Yii::$service->page->message->addError('password and confirmation password can not empty'); - return; - } - if($password != $confirmation){ - Yii::$service->page->message->addError('password and confirmation password must be equal'); + if(!$firstname || !$lastname){ + Yii::$service->page->message->addError('first name and last name can not empty'); return; } - if(!$identity->validatePassword($current_password)){ - Yii::$service->page->message->addError('Current password is not right,If you forget your password, you can retrieve your password by forgetting your password in login page'); - return; + if($change_password){ + if(!$current_password){ + Yii::$service->page->message->addError('current password can not empty'); + return; + } + + if(!$password || !$confirmation){ + Yii::$service->page->message->addError('password and confirmation password can not empty'); + return; + } + + if($password != $confirmation){ + Yii::$service->page->message->addError('password and confirmation password must be equal'); + return; + } + + if(!$identity->validatePassword($current_password)){ + Yii::$service->page->message->addError('Current password is not right,If you forget your password, you can retrieve your password by forgetting your password in login page'); + return; + } + $identity->password = $password; } - $identity->password = $password; - } - $identity->firstname = $firstname; - $identity->lastname = $lastname; - - if($identity->validate()){ - $identity->save(); - Yii::$service->page->message->addCorrect('edit account info success'); - return true; - }else{ - $errors = $identity->errors; - if(is_array($errors) && !empty($errors)){ - foreach($errors as $error){ - if(is_array($error) && !empty($error)){ - foreach($error as $er){ - Yii::$service->page->message->addError($er); + $identity->firstname = $firstname; + $identity->lastname = $lastname; + + if($identity->validate()){ + $identity->save(); + Yii::$service->page->message->addCorrect('edit account info success'); + return true; + }else{ + $errors = $identity->errors; + if(is_array($errors) && !empty($errors)){ + foreach($errors as $error){ + if(is_array($error) && !empty($error)){ + foreach($error as $er){ + Yii::$service->page->message->addError($er); + } } } - } - } - + } + + } } } diff --git a/app/appfront/modules/Customer/block/newsletter/Index.php b/app/appfront/modules/Customer/block/newsletter/Index.php index bfa1d90a..e8813780 100644 --- a/app/appfront/modules/Customer/block/newsletter/Index.php +++ b/app/appfront/modules/Customer/block/newsletter/Index.php @@ -20,6 +20,7 @@ class Index { public function getLastData(){ $email = Yii::$app->request->get('email'); + $email = \yii\helpers\Html::encode($email); $status = Yii::$service->customer->newsletter->subscribe($email); $message = Yii::$service->helper->errors->get(); if(!$message){ diff --git a/app/appfront/modules/Customer/controllers/AccountController.php b/app/appfront/modules/Customer/controllers/AccountController.php index c414ca36..a5ed4c0c 100644 --- a/app/appfront/modules/Customer/controllers/AccountController.php +++ b/app/appfront/modules/Customer/controllers/AccountController.php @@ -62,7 +62,11 @@ class AccountController extends AppfrontController public function actionRegister() { $param = Yii::$app->request->post('editForm'); - if(!empty($param)){ + + if(!empty($param) && is_array($param)){ + foreach($param as $k => $v){ + $param[$k] = \yii\helpers\Html::encode($v); + } $registerStatus = $this->getBlock()->register($param); //echo $registerStatus;exit; if($registerStatus){ @@ -96,6 +100,7 @@ class AccountController extends AppfrontController } if($rt){ $redirectUrl = base64_decode($rt); + $redirectUrl = \yii\helpers\Html::encode($redirectUrl); //exit; Yii::$service->url->redirect($redirectUrl); }else{ diff --git a/app/appfront/modules/Payment/block/paypal/express/Placeorder.php b/app/appfront/modules/Payment/block/paypal/express/Placeorder.php index 98b178af..9f89ecb6 100644 --- a/app/appfront/modules/Payment/block/paypal/express/Placeorder.php +++ b/app/appfront/modules/Payment/block/paypal/express/Placeorder.php @@ -35,6 +35,9 @@ class Placeorder { public function getLastData(){ $post = Yii::$app->request->post(); if(is_array($post) && !empty($post)){ + foreach($post as $k=>$v){ + $post[$k] = \yii\helpers\Html::encode($v); + } # 设置paypal快捷支付 $post['payment_method'] = Yii::$service->payment->paypal->express_payment_method; # 检查前台传递的数据的完整性 diff --git a/app/appfront/modules/Payment/block/paypal/express/Review.php b/app/appfront/modules/Payment/block/paypal/express/Review.php index 47b2025e..e049a17a 100644 --- a/app/appfront/modules/Payment/block/paypal/express/Review.php +++ b/app/appfront/modules/Payment/block/paypal/express/Review.php @@ -226,6 +226,7 @@ class Review { */ public function ajaxChangecountry(){ $country = Yii::$app->request->get('country'); + $country = \yii\helpers\Html::encode($country); $state = $this->initState($country); echo json_encode([ 'state' => $this->_stateHtml, diff --git a/app/appfront/modules/Payment/controllers/paypal/StandardController.php b/app/appfront/modules/Payment/controllers/paypal/StandardController.php index e8cca137..af16954d 100644 --- a/app/appfront/modules/Payment/controllers/paypal/StandardController.php +++ b/app/appfront/modules/Payment/controllers/paypal/StandardController.php @@ -34,7 +34,13 @@ class StandardController extends AppfrontController public function actionIpn(){ - Yii::$service->payment->paypal->receiveIpn(); + $post = Yii::$app->request->post(); + if(is_array($post) && !empty($post)){ + foreach($post as $k=>$v){ + $post[$k] = \yii\helpers\Html::encode($v); + } + Yii::$service->payment->paypal->receiveIpn($post); + } } public function actionCancel(){ diff --git a/app/appfront/theme/base/front/catalog/category/index/filter/refineby.php b/app/appfront/theme/base/front/catalog/category/index/filter/refineby.php index 9125aba3..41ac0f14 100644 --- a/app/appfront/theme/base/front/catalog/category/index/filter/refineby.php +++ b/app/appfront/theme/base/front/catalog/category/index/filter/refineby.php @@ -3,8 +3,8 @@
page->translate->__('Refine By'); ?>
- - + +
page->translate->__($name); ?>
diff --git a/app/appfront/theme/base/front/widgets/topsearch.php b/app/appfront/theme/base/front/widgets/topsearch.php index cf1466bb..7dc0caf1 100644 --- a/app/appfront/theme/base/front/widgets/topsearch.php +++ b/app/appfront/theme/base/front/widgets/topsearch.php @@ -1,7 +1,7 @@
- +
diff --git a/services/payment/Paypal.php b/services/payment/Paypal.php index 8f9345c4..49dd7fb3 100644 --- a/services/payment/Paypal.php +++ b/services/payment/Paypal.php @@ -60,8 +60,8 @@ class Paypal extends Service * 进而fecshop更改订单状态。 * fecshop一方面验证消息是否由paypal发出,另一方面要验证订单是否和后台的一致。 */ - public function receiveIpn(){ - if($this->verifySecurity()){ + public function receiveIpn($post){ + if($this->verifySecurity($post)){ # 验证数据是否已经发送 if($this->isNotDuplicate()){ # 验证数据是否被篡改。 @@ -83,8 +83,9 @@ class Paypal extends Service * 因此,fecshop将接收到的参数传递给paypal,询问paypal是否是paypal * 发送的IPN消息,如果是,则返回VERIFIED。 */ - protected function verifySecurity(){ - $this->_postData = Yii::$app->request->post(); + protected function verifySecurity($post){ + + $this->_postData = $post; Yii::$service->payment->setPaymentMethod('paypal_standard'); $verifyUrl = $this->getVerifyUrl(); $verifyReturn = $this->curlGet($verifyUrl); @@ -508,6 +509,7 @@ class Paypal extends Service */ public function setExpressToken(){ $token = Yii::$app->request->get('token'); + $token = \yii\helpers\Html::encode($token); if($token){ Yii::$app->session->set(self::EXPRESS_TOKEN,$token); return true; @@ -519,6 +521,7 @@ class Paypal extends Service */ public function setExpressPayerID(){ $PayerID = Yii::$app->request->get('PayerID'); + $PayerID = \yii\helpers\Html::encode($PayerID); if($PayerID){ Yii::$app->session->set(self::EXPRESS_PAYER_ID,$PayerID); return true; -- GitLab