xss共计与sql注入

app/controllers/memos_controller.rb

@@ -12,7 +12,14 @@ class MemosController < ApplicationController
   def index
     @user = current_user
     @memos = Memo.all
-    s_order = (params[:order] == "replies_count" ? "all_replies_count" : params[:order]) || "updated_at"
+    # replies_count created_at updated_at
+    s_order =
+        case params[:order]
+        when 'replies_count' then 'all_replies_count'
+        when 'created_at' then 'created_at'
+        else
+          'updated_at'
+        end
     # @tidding_count = unviewed_tiddings(current_user) if current_user.present?
     page = params[:page] || 1
     limit = params[:limit] || 15

app/controllers/question_banks_controller.rb

@@ -10,7 +10,7 @@ class QuestionBanksController < ApplicationController
   def bank_list
     page = params[:page] || 1
     limit = params[:limit] || 15
-    @certification_teacher = current_user.is_teacher? || current_user.admin?
+    @certification_teacher = current_user.is_certification_teacher || current_user.admin_or_business?
     @objects = @object_type.classify.constantize.where(@object_filter)
     @objects =
         if params[:search]
@@ -18,19 +18,17 @@ class QuestionBanksController < ApplicationController
             # 已认证才能获取题库
             if @certification_teacher
               sql = %Q{
-              #{@objects.table_name}.is_public = 1 and concat(#{@objects.table_name}.name, course_lists.name) like
-                    '%#{params[:search]}%'
-                  }
-              @objects.joins(:course_list).where(sql)
+              #{@objects.table_name}.is_public = 1 and concat(#{@objects.table_name}.name, course_lists.name) like :keyword
+              }
+              @objects.joins(:course_list).where(sql, keyword: "%#{params[:search]}%")
             else
               @objects.none
             end
           else
             sql = %Q{
-            #{@objects.table_name}.user_id = #{current_user.id} and concat(#{@objects.table_name}.name, course_lists.name) like
-                    '%#{params[:search]}%'
-                  }
-            @objects.joins(:course_list).where(sql)
+            #{@objects.table_name}.user_id = #{current_user.id} and concat(#{@objects.table_name}.name, course_lists.name) like :keyword
+            }
+            @objects.joins(:course_list).where(sql, keyword: "%#{params[:search]}%")
           end
         else
           if params[:filter] == 'public'

app/controllers/shixuns_controller.rb

@@ -26,26 +26,19 @@ class ShixunsController < ApplicationController
 
 	## 获取课程列表
   def index
-    ## 我的实训
-    @shixuns =
-        if params[:order_by] == 'mine'
-					tip_exception(401, "..") unless current_user.logged?
-          current_user.my_shixuns
-        else
-          Shixun.unhidden
-        end
+		@shixuns = current_laboratory.shixuns.unhidden.publiced
 
 		## 方向
 		if params[:tag_level].present? && params[:tag_id].present?
-      @shixuns = @shixuns.filter_tag(params[:tag_level].to_i, params[:tag_id].to_i)
+			@shixuns = @shixuns.filter_tag(params[:tag_level].to_i, params[:tag_id].to_i)
 			case params[:tag_level].to_i
-				when 1 #大类
-					@search_tags = Repertoire.find(params[:tag_id].to_i).name
-				when 2 #子类
-					@search_tags =  SubRepertoire.find(params[:tag_id].to_i).name
-				when 3 #tag
-					tag = TagRepertoire.find(params[:tag_id].to_i)
-					@search_tags = "#{tag.sub_repertoire.name} / #{tag.name}"
+			when 1 #大类
+				@search_tags = Repertoire.find(params[:tag_id].to_i).name
+			when 2 #子类
+				@search_tags =  SubRepertoire.find(params[:tag_id].to_i).name
+			when 3 #tag
+				tag = TagRepertoire.find(params[:tag_id].to_i)
+				@search_tags = "#{tag.sub_repertoire.name} / #{tag.name}"
 			end
 		end
 
@@ -61,27 +54,23 @@ class ShixunsController < ApplicationController
 		end
 
 		## 筛选 状态
-    if params[:status].present? && params[:status].to_i != 0
+		if params[:status].present? && params[:status].to_i != 0
 			params[:status] = [0, 1] if params[:status].to_i == 1
-      @shixuns = @shixuns.where(status: params[:status])
-    end
+			@shixuns = @shixuns.where(status: params[:status])
+		end
 
 		## 筛选 难度
-    if params[:diff].present? && params[:diff].to_i != 0
-      @shixuns = @shixuns.where(trainee: params[:diff])
-    end
+		if params[:diff].present? && params[:diff].to_i != 0
+			@shixuns = @shixuns.where(trainee: params[:diff])
+		end
 
 		## 排序参数
-		bsort = params[:sort] || 'desc'
-		case params[:order_by] || 'publish_time'
-			when 'new'
-				@shixuns = @shixuns.order("shixuns.status = 2 desc, shixuns.created_at #{bsort}")
-			when 'hot'
-				@shixuns = @shixuns.order("shixuns.status = 2 desc, shixuns.myshixuns_count #{bsort}")
-      when 'mine'
-        @shixuns = @shixuns.order("shixuns.created_at #{bsort}")
-      else
-				@shixuns = @shixuns.order("shixuns.status = 2 desc, shixuns.publish_time #{bsort}")
+		bsort = (params[:sort] == "desc" ? "desc" : "asc")
+		case params[:order_by] || 'new'
+		when 'hot'
+			@shixuns = @shixuns.order("shixuns.public = 2 desc, shixuns.myshixuns_count #{bsort}")
+		else
+			@shixuns = @shixuns.order("shixuns.public = 2 desc, shixuns.publish_time #{bsort}")
 		end
 
 		# 用id计数会快10+MS左右,对于搜索的内容随着数据的增加，性能会提升一些。
@@ -92,12 +81,6 @@ class ShixunsController < ApplicationController
 		limit = params[:limit] || 16
 
 		@shixuns = @shixuns.includes(:tag_repertoires, :challenges).page(page).per(limit)
-
-		@tag_name_map = TagRepertoire.joins(:shixun_tag_repertoires)
-											.where(shixun_tag_repertoires: { shixun_id: @shixuns.map(&:id) })
-											.group('shixun_tag_repertoires.shixun_id')
-											.select('shixun_id, tag_repertoires.name')
-											.each_with_object({}) { |r, obj| obj[r.shixun_id] = r.name }
   end
 
 	def shixun_list

app/helpers/application_helper.rb

@@ -10,6 +10,19 @@ module ApplicationHelper
 
   ONE_YEAR = 12 * ONE_MONTH
 
+  # xss共计问题
+  def content_safe content
+    return nil if content.nil?
+    tags = %w(
+        a abbr b bdo blockquote br caption cite code col colgroup dd del dfn dl
+        dt em figcaption figure h1 h2 h3 h4 h5 h6 hgroup i img ins kbd li mark
+        ol p pre q rp rt ruby s samp small strike strong sub sup table tbody td
+        tfoot th thead time tr u ul var wbr div span
+        )
+    attributes = %w(href src width height alt cite datetime title class name xml:lang abbr style)
+    sanitize content, tags: tags, attributes: attributes
+  end
+
   # 全局参数配置
   def edu_setting name
     EduSetting.get(name)

app/views/discusses/_discuss.json.jbuilder

@@ -2,7 +2,7 @@ json.author do
   json.partial! 'users/user', user: discuss.user
 end
 json.id discuss.id
-json.content discuss.content
+json.content content_safe(discuss.content)
 json.time time_from_now(discuss.created_at)
 json.position discuss.position
 json.shixun_id discuss.dis_id

app/views/graduation_topics/_graduation_comments.json.jbuilder

@@ -3,7 +3,7 @@ json.author do
 end
 
 json.id message.id
-json.content message.contents_show(identity)
+json.content content_safe(message.contents_show(identity))
 json.time time_from_now(message.created_at)
 json.hidden message.hidden
 # 主贴与子贴不一致

app/views/memos/_memo.json.jbuilder

@@ -3,7 +3,7 @@ json.memo do
   json.forum_id memo.forum_id
   json.subject memo.subject
   json.is_md memo.is_md
-  json.content memo.content
+  json.content content_safe(memo.content)
   json.sticky memo.sticky
   json.reward memo.reward
   json.viewed_count memo.viewed_count

app/views/memos/_replies_list.json.jbuilder

@@ -1,5 +1,5 @@
 json.id memo.id
-json.content memo.content
+json.content content_safe(memo.content)
 json.time time_from_now(memo.created_at)
 json.user_id memo.author_id
 json.image_url url_to_avatar(memo.author)

app/views/messages/_message_detail.json.jbuilder

@@ -1,6 +1,6 @@
 json.partial! "messages/message_simple", message: message
 json.partial! "commons/like", message: message
-json.content message.message_detail.try(:content)
+json.content content_safe(message.message_detail.try(:content))
 json.author do
   json.partial! "users/user_simple", user: message.author
 end