From 58c4df6a65510b5b3396f4976c45184e52974eaf Mon Sep 17 00:00:00 2001 From: Northind <40927099+Northind@users.noreply.github.com> Date: Tue, 14 Feb 2023 13:14:50 +0800 Subject: [PATCH 1/3] Update ImageShowController.java --- .../modules/admin/image/controller/ImageShowController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/jflyfox/modules/admin/image/controller/ImageShowController.java b/src/main/java/com/jflyfox/modules/admin/image/controller/ImageShowController.java index b751bd5..887db39 100644 --- a/src/main/java/com/jflyfox/modules/admin/image/controller/ImageShowController.java +++ b/src/main/java/com/jflyfox/modules/admin/image/controller/ImageShowController.java @@ -33,7 +33,7 @@ public void list() { // 排序 String orderBy = getBaseForm().getOrderBy(); - if (StrUtils.isEmpty(orderBy)) { + if (StrUtils.isEmpty(orderBy) || orderBy.contains("(")) { sql.append(" order by sort,id desc"); } else { sql.append(" order by ").append(orderBy); From ad839fbf3c1c67c69b3ada38c3e933a2574aa859 Mon Sep 17 00:00:00 2001 From: Northind <40927099+Northind@users.noreply.github.com> Date: Tue, 14 Feb 2023 13:17:29 +0800 Subject: [PATCH 2/3] Update RegistController.java To the greatest extent, referring to the original code style, the mailbox format verification is improved, and the existing storage XSS vulnerability is fixed. --- .../modules/front/controller/RegistController.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/jflyfox/modules/front/controller/RegistController.java b/src/main/java/com/jflyfox/modules/front/controller/RegistController.java index dfe3d2a..bd67f50 100644 --- a/src/main/java/com/jflyfox/modules/front/controller/RegistController.java +++ b/src/main/java/com/jflyfox/modules/front/controller/RegistController.java @@ -12,6 +12,9 @@ import com.jflyfox.system.user.UserCache; import com.jflyfox.util.StrUtils; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + @ControllerBind(controllerKey = "/front/regist") public class RegistController extends BaseProjectController { @@ -62,7 +65,12 @@ public void save() { return; } - if (StrUtils.isEmpty(key) || key.indexOf("@") < 0) { + String regEx1 = "^[\\w-_\\.+]*[\\w-_\\.]\\@([\\w]+\\.)+[\\w]+[\\w]$"; + Pattern p; + Matcher m; + p = Pattern.compile(regEx1); + m = p.matcher(key); + if(!m.matches()) { json.put("msg", "email格式错误!"); renderJson(json.toJSONString()); return; From e89eed09987dea6dbbd5e9e9c867821da15439e7 Mon Sep 17 00:00:00 2001 From: Northind <40927099+Northind@users.noreply.github.com> Date: Tue, 14 Feb 2023 13:18:41 +0800 Subject: [PATCH 3/3] Update PersonController.java To the greatest extent, referring to the original code style, the mailbox format verification is improved, and the existing storage XSS vulnerability is fixed. --- .../modules/front/controller/PersonController.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/jflyfox/modules/front/controller/PersonController.java b/src/main/java/com/jflyfox/modules/front/controller/PersonController.java index b439a5b..f14cbde 100644 --- a/src/main/java/com/jflyfox/modules/front/controller/PersonController.java +++ b/src/main/java/com/jflyfox/modules/front/controller/PersonController.java @@ -23,6 +23,9 @@ import com.jflyfox.util.StrUtils; import com.jflyfox.util.extend.HtmlUtils; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + /** * 个人信息 * @@ -415,7 +418,12 @@ public void save() { } } - if (StrUtils.isNotEmpty(model.getStr("email")) && model.getStr("email").indexOf("@") < 0) { + String regEx1 = "^[\\w-_\\.+]*[\\w-_\\.]\\@([\\w]+\\.)+[\\w]+[\\w]$"; + Pattern p; + Matcher m; + p = Pattern.compile(regEx1); + m = p.matcher(model.getStr("email")); + if(!m.matches()){ json.put("msg", "email格式错误!"); renderJson(json.toJSONString()); return;