fix #746 统一过滤存储型XSS

application/common/model/Actor.php

@@ -424,6 +424,36 @@ class Actor extends Base {
         unset($data['uptime']);
         unset($data['uptag']);
 
+        // xss过滤
+        $filter_fields = [
+            'actor_name',
+            'actor_en',
+            'actor_alias',
+            'actor_color',
+            'actor_pic',
+            'actor_blurb',
+            'actor_remarks',
+            'actor_area',
+            'actor_height',
+            'actor_weight',
+            'actor_birthday',
+            'actor_birtharea',
+            'actor_blood',
+            'actor_starsign',
+            'actor_school',
+            'actor_works',
+            'actor_tag',
+            'actor_class',
+            'actor_tpl',
+            'actor_jumpurl',
+        ];
+        foreach ($filter_fields as $filter_field) {
+            if (!isset($data[$filter_field])) {
+                continue;
+            }
+            $data[$filter_field] = mac_filter_xss($data[$filter_field]);
+        }
+
         if(!empty($data['actor_id'])){
             $where=[];
             $where['actor_id'] = ['eq',$data['actor_id']];

application/common/model/Art.php

@@ -501,6 +501,35 @@ class Art extends Base {
         unset($data['uptime']);
         unset($data['uptag']);
 
+        // xss过滤
+        $filter_fields = [
+            'art_name',
+            'art_sub',
+            'art_en',
+            'art_color',
+            'art_from',
+            'art_author',
+            'art_tag',
+            'art_class',
+            'art_pic',
+            'art_pic_thumb',
+            'art_pic_slide',
+            'art_blurb',
+            'art_remarks',
+            'art_jumpurl',
+            'art_tpl',
+            'art_rel_art',
+            'art_rel_vod',
+            'art_pwd',
+            'art_pwd_url',
+        ];
+        foreach ($filter_fields as $filter_field) {
+            if (!isset($data[$filter_field])) {
+                continue;
+            }
+            $data[$filter_field] = mac_filter_xss($data[$filter_field]);
+        }
+
         if(!empty($data['art_id'])){
             $where=[];
             $where['art_id'] = ['eq',$data['art_id']];

application/common/model/Collect.php

@@ -396,7 +396,7 @@ class Collect extends Base {
     public function vod_data($param,$data,$show=1)
     {
         if($show==1) {
-            mac_echo(lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
+            mac_echo('[' . __FUNCTION__ . '] ' . lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
         }
 
         $config = config('maccms.collect');
@@ -1035,7 +1035,7 @@ class Collect extends Base {
     public function art_data($param,$data,$show=1)
     {
         if($show==1) {
-            mac_echo(lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
+            mac_echo('[' . __FUNCTION__ . '] ' . lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
         }
 
         $config = config('maccms.collect');
@@ -1357,7 +1357,7 @@ class Collect extends Base {
     public function actor_data($param,$data,$show=1)
     {
         if($show==1) {
-            mac_echo(lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
+            mac_echo('[' . __FUNCTION__ . '] ' . lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
         }
 
         $config = config('maccms.collect');
@@ -1624,7 +1624,7 @@ class Collect extends Base {
     public function role_data($param,$data,$show=1)
     {
         if($show==1) {
-            mac_echo(lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
+            mac_echo('[' . __FUNCTION__ . '] ' . lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
         }
 
         $config = config('maccms.collect');
@@ -1938,7 +1938,7 @@ class Collect extends Base {
     public function website_data($param,$data,$show=1)
     {
         if($show==1) {
-            mac_echo(lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
+            mac_echo('[' . __FUNCTION__ . '] ' . lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
         }
 
         $config = config('maccms.collect');
@@ -2203,7 +2203,7 @@ class Collect extends Base {
     public function comment_data($param,$data,$show=1)
     {
         if($show==1) {
-            mac_echo(lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
+            mac_echo('[' . __FUNCTION__ . '] ' . lang('model/collect/data_tip1',[$data['page']['page'],$data['page']['pagecount'],$data['page']['url']]));
         }
 
         $config = config('maccms.collect');

application/common/model/Comment.php

@@ -214,6 +214,18 @@ class Comment extends Base {
             return ['code'=>1001,'msg'=>lang('param_err').'：'.$validate->getError() ];
         }
 
+        // xss过滤
+        $filter_fields = [
+            'comment_name',
+            'comment_content',
+        ];
+        foreach ($filter_fields as $filter_field) {
+            if (!isset($data[$filter_field])) {
+                continue;
+            }
+            $data[$filter_field] = mac_filter_xss($data[$filter_field]);
+        }
+
         if(!empty($data['comment_id'])){
             $where=[];
             $where['comment_id'] = ['eq',$data['comment_id']];

application/common/model/Gbook.php

@@ -137,6 +137,18 @@ class Gbook extends Base {
             return ['code'=>1001,'msg'=>lang('param_err').'：'.$validate->getError() ];
         }
 
+        // xss过滤
+        $filter_fields = [
+            'gbook_name',
+            'gbook_content',
+            'gbook_reply',
+        ];
+        foreach ($filter_fields as $filter_field) {
+            if (!isset($data[$filter_field])) {
+                continue;
+            }
+            $data[$filter_field] = mac_filter_xss($data[$filter_field]);
+        }
 
         if(!empty($data['gbook_id'])){
             if(!empty($data['gbook_reply'])){

application/common/model/Topic.php

@@ -381,6 +381,35 @@ class Topic extends Base {
         }
         unset($data['uptime']);
 
+        // xss过滤
+        $filter_fields = [
+            'topic_name',
+            'topic_en',
+            'topic_sub',
+            'topic_color',
+            'topic_tpl',
+            'topic_type',
+            'topic_pic',
+            'topic_pic_thumb',
+            'topic_pic_slide',
+            'topic_key',
+            'topic_des',
+            'topic_title',
+            'topic_blurb',
+            'topic_remarks',
+            'topic_tag',
+            'topic_rel_vod',
+            'topic_rel_art',
+            'topic_content',
+            'topic_extend',
+        ];
+        foreach ($filter_fields as $filter_field) {
+            if (!isset($data[$filter_field])) {
+                continue;
+            }
+            $data[$filter_field] = mac_filter_xss($data[$filter_field]);
+        }
+
         if(!empty($data['topic_id'])){
             $where=[];
             $where['topic_id'] = ['eq',$data['topic_id']];

application/common/model/Type.php

@@ -244,6 +244,30 @@ class Type extends Base {
             $data['type_en'] = Pinyin::get($data['type_name']);
         }
 
+        // xss过滤
+        $filter_fields = [
+            'type_name',
+            'type_en',
+            'type_tpl',
+            'type_tpl_list',
+            'type_tpl_detail',
+            'type_tpl_play',
+            'type_tpl_down',
+            'type_key',
+            'type_des',
+            'type_title',
+            'type_union',
+            'type_logo',
+            'type_pic',
+            'type_jumpurl',
+        ];
+        foreach ($filter_fields as $filter_field) {
+            if (!isset($data[$filter_field])) {
+                continue;
+            }
+            $data[$filter_field] = mac_filter_xss($data[$filter_field]);
+        }
+
         if(!empty($data['type_id'])){
             $where=[];
             $where['type_id'] = ['eq',$data['type_id']];

application/common/model/Vod.php

@@ -615,6 +615,44 @@ class Vod extends Base {
         unset($data['uptime']);
         unset($data['uptag']);
 
+        // xss过滤
+        $filter_fields = [
+            'vod_name',
+            'vod_sub',
+            'vod_en',
+            'vod_color',
+            'vod_tag',
+            'vod_class',
+            'vod_pic',
+            'vod_pic_thumb',
+            'vod_pic_slide',
+            'vod_actor',
+            'vod_director',
+            'vod_writer',
+            'vod_behind',
+            'vod_blurb',
+            'vod_remarks',
+            'vod_pubdate',
+            'vod_serial',
+            'vod_tv',
+            'vod_weekday',
+            'vod_area',
+            'vod_lang',
+            'vod_year',
+            'vod_version',
+            'vod_state',
+            'vod_author',
+            'vod_tpl',
+            'vod_tpl_play',
+            'vod_tpl_down',
+        ];
+        foreach ($filter_fields as $filter_field) {
+            if (!isset($data[$filter_field])) {
+                continue;
+            }
+            $data[$filter_field] = mac_filter_xss($data[$filter_field]);
+        }
+
         if(!empty($data['vod_id'])){
             $where=[];
             $where['vod_id'] = ['eq',$data['vod_id']];