(重要)修改前端提交问题描述和回答内容解析，防止xss注入

c666698e · huangxuan258 · 9b9a90a2 · c666698e · c666698e · c666698e
6 changed file
--- a/application/models/Answer_model.php
+++ b/application/models/Answer_model.php
@@ -23,7 +23,7 @@ class Answer_model extends CI_Model {
 			$answer ['format_time'] = tdate ( $answer ['time'] );
 			$answer ['appends'] = $this->get_appends ( $answer ['id'] );
 			$answer ['title'] = checkwordsglobal ( $answer ['title'] );
-			$answer ['content'] = checkwordsglobal (htmlspecialchars_decode( $answer ['content'] ));
+			$answer ['content'] = checkwordsglobal ( $answer ['content'] );
 		}
 		return $answer;
 	}
@@ -59,7 +59,7 @@ class Answer_model extends CI_Model {
 				$bestanswer ['total'] = 0;
 			}
 			$bestanswer ['title'] = checkwordsglobal ( $bestanswer ['title'] );
-			$bestanswer ['content'] = checkwordsglobal (htmlspecialchars_decode( $bestanswer ['content'] ));
+			$bestanswer ['content'] = checkwordsglobal ( $bestanswer ['content'] );
 			$bestanswer ['userinfo'] = array ();

 			$query = $this->db->get_where ( 'user', array ('uid' => $bestanswer ['authorid'] ) );
@@ -120,7 +120,7 @@ class Answer_model extends CI_Model {
 			}
 			$answer ['time'] = tdate ( $answer ['time'] );
 			$answer ['ip'] = formatip ( $answer ['ip'] );
-			$answer ['content'] = checkwordsglobal (htmlspecialchars_decode( $answer ['content']));
+			$answer ['content'] = checkwordsglobal ( $answer ['content']);
 			$answer ['title'] = checkwordsglobal ( $answer ['title'] );
 			$answer ['author_has_vertify'] = get_vertify_info ( $answer ['authorid'] ); //用户是否认证
 			$answer ['author_avartar'] = get_avatar_dir ( $answer ['authorid'] );

--- a/application/models/Question_model.php
+++ b/application/models/Question_model.php
@@ -120,7 +120,7 @@ class Question_model extends CI_Model {
 				$question['shortdescription']="[图]".$question ['shortdescription'];
 			}
 			$question ['artlen']=mb_strlen(strip_tags(checkwordsglobal ( htmlspecialchars_decode($question ['description'] ) )));
-			$question ['description'] = checkwordsglobal (htmlspecialchars_decode($question ['description'] ) );
+			$question ['description'] = checkwordsglobal ($question ['description']  );
 		}
 		return $question;
 	}

--- a/application/views/default/editor.php
+++ b/application/views/default/editor.php
@@ -18,7 +18,7 @@
             {if $this->uri->segment ( 1 )!='question'}
  {eval echo  replacewords($topic['describtion']);}
             {/if}
-           {if $user['groupid']==1||$user['uid']==$answer['authorid']&&$this->uri->segment ( 2 )=='editanswer'&&$this->uri->segment ( 1 )=='question'}    {eval echo htmlspecialchars_decode($answer['content']);} {/if}
+           {if $user['groupid']==1||$user['uid']==$answer['authorid']&&$this->uri->segment ( 2 )=='editanswer'&&$this->uri->segment ( 1 )=='question'}    {eval echo $answer['content'];} {/if}

 {/if}
            </textarea>

--- a/application/views/default/solve.php
+++ b/application/views/default/solve.php
@@ -354,16 +354,16 @@ position:relative;
                <p>
              
                {if $question['artlen']>=100||strstr($question['shortdescription'],'图')}
-                 {eval    echo htmlspecialchars_decode( htmlspecialchars_decode($question['shortdescription']));}
+                 {eval    echo $question['shortdescription'];}
                <button type="button" class="btnshowall">显示全部<i class="fa fa-angle-down"></i></button>
               {else}
-                {eval    echo htmlspecialchars_decode( htmlspecialchars_decode(replacewords($question['description'])));    }
+                {eval    echo replacewords($question['description']);    }
                {/if}
                </p>
            </div>
            
            <div class="show-content hide hidequestioncontent">
-                  {eval    echo  htmlspecialchars_decode(htmlspecialchars_decode(replacewords($question['description'])));    }
+                  {eval    echo  replacewords($question['description']);    }
           
            </div>
            
@@ -514,7 +514,7 @@ position:relative;
             {/if}
             <div class="comment-wrap art-content">
             <div class="answercontent">
-                {eval    echo htmlspecialchars_decode(replacewords($bestanswer['content']));    }
+                {eval    echo replacewords($bestanswer['content']);    }

                 <div class="appendcontent">
                                <!--{loop $bestanswer['appends'] $append}-->
@@ -633,7 +633,7 @@ position:relative;
             {/if}
             <div class="comment-wrap art-content">
             <div class="answercontent">
-                                 {eval    echo htmlspecialchars_decode(replacewords($answer['content']));    }
+                                 {eval    echo replacewords($answer['content']);    }

                 <div class="appendcontent">
                                <!--{loop $answer['appends'] $append}-->

--- a/application/views/fronzewap/editor.php
+++ b/application/views/fronzewap/editor.php
@@ -38,7 +38,7 @@ $.noConflict()
             {if $this->uri->segment ( 1 )!='question'}
  {eval echo  replacewords($topic['describtion']);}
             {/if}
-           {if $user['groupid']==1||$user['uid']==$answer['authorid']&&$this->uri->segment ( 2 )=='editanswer'&&$this->uri->segment ( 1 )=='question'}    {eval  echo htmlspecialchars_decode($answer['content']);} {/if}
+           {if $user['groupid']==1||$user['uid']==$answer['authorid']&&$this->uri->segment ( 2 )=='editanswer'&&$this->uri->segment ( 1 )=='question'}    {eval  echo $answer['content'];} {/if}

 {/if}
            </textarea>

--- a/application/views/fronzewap/solve.php
+++ b/application/views/fronzewap/solve.php
@@ -140,12 +140,12 @@ color:#fff;
        </div>
        <div class="article-content">
         <div class="ask_detail_content_text qyer_spam_text_filter">
-                   {eval    echo htmlspecialchars_decode(htmlspecialchars_decode(replacewords($question['description'])));    }
+                   {eval    echo replacewords($question['description']);    }
                   <!--{if $supplylist}-->
                       <ul class="nav">
                    <!--{loop $supplylist $supply}-->
                    <li><span class="time buchongtime">问题补充 : {$supply['format_time']}</span>
-                      {eval    echo htmlspecialchars_decode(replacewords($supply['content']));    }
+                      {eval    echo replacewords($supply['content']);    }

                    </li>
                    <!--{/loop}-->
@@ -296,7 +296,7 @@ color:#fff;
                 
                    {if $bestanswer['serverid']==null}
                         {if $bestanswer['reward']==0||$bestanswer['authorid']==$user['uid']}
-                             {eval    echo htmlspecialchars_decode(replacewords($bestanswer['content']));    }
+                             {eval    echo replacewords($bestanswer['content']);    }
                               {else}
                                 {eval if($question['authorid']==$user['uid']) $bestanswer['canview']=1;}
                               {if $bestanswer['canview']==0}
@@ -312,7 +312,7 @@ color:#fff;
 										</div>
                               {else}
                              
-                                 {eval    echo htmlspecialchars_decode(replacewords($bestanswer['content']));    }
+                                 {eval    echo replacewords($bestanswer['content']);    }
                               {/if}

                               {/if}
@@ -339,7 +339,7 @@ color:#fff;
                        <!--{/if}-->
                          <div class="zhuiwentext">

-                         {eval    echo htmlspecialchars_decode(replacewords($append['content']));    }
+                         {eval    echo replacewords($append['content']);    }
                                      </div>
                    <div class="clr"></div>
                    </div>
@@ -462,7 +462,7 @@ color:#fff;
                
                       {if $answer['serverid']==null}
                            {if $answer['reward']==0||$answer['authorid']==$user['uid']}
-                             {eval    echo htmlspecialchars_decode(replacewords($answer['content']));    }
+                             {eval    echo replacewords($answer['content']);    }
                               {else}
                                     {eval if($question['authorid']==$user['uid']) $answer['canview']=1;}
                               {if $answer['canview']==0}
@@ -477,7 +477,7 @@ color:#fff;

 										</div>
                               {else}
-                                 {eval    echo htmlspecialchars_decode(replacewords($answer['content']));    }
+                                 {eval    echo replacewords($answer['content']);    }
                               {/if}

                               {/if}
@@ -505,7 +505,7 @@ color:#fff;
                                    <h4 class="appendask font-12">作者追问:<span class='time'>{$append['format_time']}</span></h4>
                                    <!--{/if}-->
                                     <div class="zhuiwentext">
-                                          {eval    echo htmlspecialchars_decode(replacewords($append['content']));    }
+                                          {eval    echo replacewords($append['content']);    }
                                               </div>
                                <div class="clr"></div>
                                </div>