xss共计与sql注入

5 years ago · fe7921e45b
parent ad5eee32a1
commit fe7921e45b
9 changed files with 54 additions and 53 deletions
--- a/app/controllers/memos_controller.rb
+++ b/app/controllers/memos_controller.rb
@ -12,7 +12,14 @@ class MemosController < ApplicationController
  def index
    @user = current_user
    @memos = Memo.all
-    s_order = (params[:order] == "replies_count" ? "all_replies_count" : params[:order]) || "updated_at"
+    # replies_count created_at updated_at
    s_order =
        case params[:order]
        when 'replies_count' then 'all_replies_count'
        when 'created_at' then 'created_at'
        else
          'updated_at'
        end
    # @tidding_count = unviewed_tiddings(current_user) if current_user.present?
    page = params[:page] || 1
    limit = params[:limit] || 15
--- a/app/controllers/question_banks_controller.rb
+++ b/app/controllers/question_banks_controller.rb
@ -10,7 +10,7 @@ class QuestionBanksController < ApplicationController
  def bank_list
    page = params[:page] || 1
    limit = params[:limit] || 15
-    @certification_teacher = current_user.is_teacher? || current_user.admin?
+    @certification_teacher = current_user.is_certification_teacher || current_user.admin_or_business?
    @objects = @object_type.classify.constantize.where(@object_filter)
    @objects =
        if params[:search]
@ -18,19 +18,17 @@ class QuestionBanksController < ApplicationController
            # 已认证才能获取题库
            if @certification_teacher
              sql = %Q{
-              #{@objects.table_name}.is_public = 1 and concat(#{@objects.table_name}.name, course_lists.name) like
+              #{@objects.table_name}.is_public = 1 and concat(#{@objects.table_name}.name, course_lists.name) like :keyword
                    '%#{params[:search]}%'
              }
-              @objects.joins(:course_list).where(sql)
+              @objects.joins(:course_list).where(sql, keyword: "%#{params[:search]}%")
            else
              @objects.none
            end
          else
            sql = %Q{
-            #{@objects.table_name}.user_id = #{current_user.id} and concat(#{@objects.table_name}.name, course_lists.name) like
+            #{@objects.table_name}.user_id = #{current_user.id} and concat(#{@objects.table_name}.name, course_lists.name) like :keyword
                    '%#{params[:search]}%'
            }
-            @objects.joins(:course_list).where(sql)
+            @objects.joins(:course_list).where(sql, keyword: "%#{params[:search]}%")
          end
        else
          if params[:filter] == 'public'
--- a/app/controllers/shixuns_controller.rb
+++ b/app/controllers/shixuns_controller.rb
@ -26,14 +26,7 @@ class ShixunsController < ApplicationController
 	## 获取课程列表
  def index
-    ## 我的实训
+		@shixuns = current_laboratory.shixuns.unhidden.publiced
    @shixuns =
        if params[:order_by] == 'mine'
 					tip_exception(401, "..") unless current_user.logged?
          current_user.my_shixuns
        else
          Shixun.unhidden
        end
 		## 方向
 		if params[:tag_level].present? && params[:tag_id].present?
@ -72,16 +65,12 @@ class ShixunsController < ApplicationController
 		end
 		## 排序参数
-		bsort = params[:sort] || 'desc'
+		bsort = (params[:sort] == "desc" ? "desc" : "asc")
-		case params[:order_by] || 'publish_time'
+		case params[:order_by] || 'new'
 			when 'new'
 				@shixuns = @shixuns.order("shixuns.status = 2 desc, shixuns.created_at #{bsort}")
 		when 'hot'
-				@shixuns = @shixuns.order("shixuns.status = 2 desc, shixuns.myshixuns_count #{bsort}")
+			@shixuns = @shixuns.order("shixuns.public = 2 desc, shixuns.myshixuns_count #{bsort}")
      when 'mine'
        @shixuns = @shixuns.order("shixuns.created_at #{bsort}")
 		else
-				@shixuns = @shixuns.order("shixuns.status = 2 desc, shixuns.publish_time #{bsort}")
+			@shixuns = @shixuns.order("shixuns.public = 2 desc, shixuns.publish_time #{bsort}")
 		end
 		# 用id计数会快10+MS左右,对于搜索的内容随着数据的增加，性能会提升一些。
@ -92,12 +81,6 @@ class ShixunsController < ApplicationController
 		limit = params[:limit] || 16
 		@shixuns = @shixuns.includes(:tag_repertoires, :challenges).page(page).per(limit)
 		@tag_name_map = TagRepertoire.joins(:shixun_tag_repertoires)
 											.where(shixun_tag_repertoires: { shixun_id: @shixuns.map(&:id) })
 											.group('shixun_tag_repertoires.shixun_id')
 											.select('shixun_id, tag_repertoires.name')
 											.each_with_object({}) { |r, obj| obj[r.shixun_id] = r.name }
  end
 	def shixun_list
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -10,6 +10,19 @@ module ApplicationHelper
  ONE_YEAR = 12 * ONE_MONTH
  # xss共计问题
  def content_safe content
    return nil if content.nil?
    tags = %w(
        a abbr b bdo blockquote br caption cite code col colgroup dd del dfn dl
        dt em figcaption figure h1 h2 h3 h4 h5 h6 hgroup i img ins kbd li mark
        ol p pre q rp rt ruby s samp small strike strong sub sup table tbody td
        tfoot th thead time tr u ul var wbr div span
        )
    attributes = %w(href src width height alt cite datetime title class name xml:lang abbr style)
    sanitize content, tags: tags, attributes: attributes
  end
  # 全局参数配置
  def edu_setting name
    EduSetting.get(name)
--- a/app/views/discusses/_discuss.json.jbuilder
+++ b/app/views/discusses/_discuss.json.jbuilder
@ -2,7 +2,7 @@ json.author do
  json.partial! 'users/user', user: discuss.user
 end
 json.id discuss.id
-json.content discuss.content
+json.content content_safe(discuss.content)
 json.time time_from_now(discuss.created_at)
 json.position discuss.position
 json.shixun_id discuss.dis_id
--- a/app/views/graduation_topics/_graduation_comments.json.jbuilder
+++ b/app/views/graduation_topics/_graduation_comments.json.jbuilder
@ -3,7 +3,7 @@ json.author do
 end
 json.id message.id
-json.content message.contents_show(identity)
+json.content content_safe(message.contents_show(identity))
 json.time time_from_now(message.created_at)
 json.hidden message.hidden
 # 主贴与子贴不一致
--- a/app/views/memos/_memo.json.jbuilder
+++ b/app/views/memos/_memo.json.jbuilder
@ -3,7 +3,7 @@ json.memo do
  json.forum_id memo.forum_id
  json.subject memo.subject
  json.is_md memo.is_md
-  json.content memo.content
+  json.content content_safe(memo.content)
  json.sticky memo.sticky
  json.reward memo.reward
  json.viewed_count memo.viewed_count
--- a/app/views/memos/_replies_list.json.jbuilder
+++ b/app/views/memos/_replies_list.json.jbuilder
@ -1,5 +1,5 @@
 json.id memo.id
-json.content memo.content
+json.content content_safe(memo.content)
 json.time time_from_now(memo.created_at)
 json.user_id memo.author_id
 json.image_url url_to_avatar(memo.author)
--- a/app/views/messages/_message_detail.json.jbuilder
+++ b/app/views/messages/_message_detail.json.jbuilder
@ -1,6 +1,6 @@
 json.partial! "messages/message_simple", message: message
 json.partial! "commons/like", message: message
-json.content message.message_detail.try(:content)
+json.content content_safe(message.message_detail.try(:content))
 json.author do
  json.partial! "users/user_simple", user: message.author
 end