Merge remote-tracking branch 'origin/master'

3fa1b5d6 · guwd · 36e56fb9 · 45099314 · 3fa1b5d6 · 3fa1b5d6
Commit 3fa1b5d6 authored Sep 07, 2020 by guwd
9 changed files
--- a/doc/5.0.0-to-5.1-mysql.sql
+++ b/doc/5.0.0-to-5.1-mysql.sql
--- a/doc/mcms-5.1.sql
+++ b/doc/mcms-5.1.sql
--- a/pom.xml
+++ b/pom.xml
@@ -9,7 +9,7 @@
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>net.mingsoft</groupId>
-	<artifactId>mcms</artifactId>
+	<artifactId>ms-mcms</artifactId>
 	<version>5.1-SNAPSHOT</version>
 	<name>ms-mcms</name>
 	<properties>
@@ -22,11 +22,7 @@
 			<artifactId>ms-mpeople</artifactId>
 		</dependency>
 		<!-- 此部分是铭飞平台MStroe的客户端（MStore不在铭飞开源产品范围），如果不需要使用MStore可以删除掉 -->
-		<dependency>
-			<groupId>net.mingsoft</groupId>
-			<artifactId>store-client</artifactId>
-			<version>2.0</version>
-		</dependency>
 	</dependencies>
 	<build>
 		<finalName>ms-mcms</finalName>
@@ -40,30 +36,24 @@
 					<target>${java.version}</target>
 				</configuration>
 			</plugin>
-			<plugin>
-				<groupId>org.springframework.boot</groupId>
-				<artifactId>spring-boot-maven-plugin</artifactId>
-				<executions>
-					<execution>
-						<goals>
-							<goal>repackage</goal>
-						</goals>
-					</execution>
-				</executions>
-				<configuration>
-					<fork>true</fork>
-				</configuration>
-			</plugin>
 		</plugins>
 		<resources>
 			<resource>
 				<directory>src/main/webapp</directory>
-			</resource>
+				<excludes>
-			<resource>
+					<exclude>static/**</exclude>
-				<directory>src/main/resources</directory>
+					<exclude>html/**</exclude>
+					<exclude>upload/**</exclude>
+					<exclude>templets/**</exclude>
+				</excludes>
 			</resource>
 			<resource>
 				<directory>src/main/java</directory>
+				<excludes>
+					<exclude>**/*.java</exclude>
+					<exclude>**/MSApplication.class</exclude>
+					<exclude>**/MSServletInitializer.class</exclude>
+				</excludes>
 			</resource>
 		</resources>
 		<defaultGoal>compile</defaultGoal>

--- a/src/main/java/net/mingsoft/cms/action/GeneraterAction.java
+++ b/src/main/java/net/mingsoft/cms/action/GeneraterAction.java
@@ -176,8 +176,8 @@ public class GeneraterAction extends BaseAction {
 			for (CategoryEntity column : columns) {
 				ContentBean contentBean = new ContentBean();
 				contentBean.setContentCategoryId(column.getId());
-				// 分类是列表，链接
+				// 分类是列表
-				if(!column.getCategoryType().equals("2")) {
+				if(column.getCategoryType().equals("1")) {
 					// 判断模板文件是否存在
 					if (!FileUtil.exist(ParserUtil.buildTempletPath(column.getCategoryListUrl()))) {
 						LOG.error("模板不存在：{}", column.getCategoryUrl());
@@ -253,8 +253,8 @@ public class GeneraterAction extends BaseAction {
 			categoryList = categoryBiz.query(categoryEntity);
 			for(CategoryEntity category : categoryList){
 				contentBean.setContentCategoryId(category.getId());
-				// 分类是列表，链接
+				// 分类是列表
-				if(!category.getCategoryType().equals("2")){
+				if(category.getCategoryType().equals("1")){
 					// 判断模板文件是否存在
 					if (!FileUtil.exist(ParserUtil.buildTempletPath(category.getCategoryListUrl())) || StringUtils.isEmpty(category.getCategoryListUrl())) {
 						LOG.error("模板不存在：{}",category.getCategoryUrl());
@@ -276,8 +276,8 @@ public class GeneraterAction extends BaseAction {
 		}else {
 			CategoryEntity category = (CategoryEntity) categoryBiz.getEntity(Integer.parseInt(columnId));
 			contentBean.setContentCategoryId(columnId);
-			// 分类是列表，链接
+			// 分类是列表
-			if(!category.getCategoryType().equals("2")){
+			if(category.getCategoryType().equals("1")){
 				// 获取文章列表表属性
 				// 判断模板文件是否存在
 				if (!FileUtil.exist(ParserUtil.buildTempletPath(category.getCategoryUrl()))) {

--- a/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java
+++ b/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java
@@ -108,7 +108,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 	public void index(HttpServletRequest req, HttpServletResponse resp) {
 		Map map = BasicUtil.assemblyRequestMap();
 		map.forEach((k,v)->{
-			map.put(k,v.toString().replaceAll("('|\"|\\\\)","\\$1"));
+            map.put(k,v.toString().replaceAll("('|\"|\\\\)","\\\\$1"));
 		});
 		map.put(ParserUtil.URL, BasicUtil.getUrl());
 		//动态解析
@@ -140,6 +140,9 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 	@GetMapping("/list.do")
 	public void list(HttpServletRequest req, HttpServletResponse resp) {
 		Map map = BasicUtil.assemblyRequestMap();
+		map.forEach((k,v)->{
+			map.put(k,v.toString().replaceAll("('|\"|\\\\)","\\\\$1"));
+		});
 		//获取栏目编号
 		int typeId = BasicUtil.getInt(ParserUtil.TYPE_ID,0);
 		int size = BasicUtil.getInt(ParserUtil.SIZE,10);
@@ -205,7 +208,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 			}
 		}
-		orderby= orderby.replaceAll("('|\"|\\\\)","\\$1");
+		orderby= orderby.replaceAll("('|\"|\\\\)","\\\\$1");
 		PageBean page = new PageBean();
 		//用于详情上下页获取当前文章列表对应的分类，根据文章查询只能获取自身分类
 		String typeId = BasicUtil.getString(ParserUtil.TYPE_ID,article.getContentCategoryId());
@@ -216,7 +219,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 		Map map = BasicUtil.assemblyRequestMap();
 		map.forEach((k,v)->{
 			//sql注入过滤
-			map.put(k,v.toString().replaceAll("('|\"|\\\\)","\\$1"));
+			map.put(k,v.toString().replaceAll("('|\"|\\\\)","\\\\$1"));
 		});
 		//动态解析
 		map.put(ParserUtil.IS_DO,true);
@@ -340,7 +343,8 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 		if (field != null) {
 			for (Map.Entry<String, Object> entry : field.entrySet()) {
 				if (entry != null) {
-					String value = entry.getValue().toString().replaceAll("('|\"|\\\\)","\\$1"); // 处理由get方法请求中文乱码问题
+					String value = entry.getValue().toString().replaceAll("('|\"|\\\\)","\\\\$1"); // 处理由get方法请求中文乱码问题
+					value=clearXss(value);
 					if (ObjectUtil.isNull(value)) {
 						continue;
 					}
@@ -379,7 +383,8 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 		StringBuilder urlParams=new StringBuilder();
 		searchMap.forEach((k,v)->{
 			//sql注入过滤
-			searchMap.put(k,v.toString().replaceAll("('|\"|\\\\)","\\$1"));
+			searchMap.put(k,v.toString().replaceAll("('|\"|\\\\)","\\\\$1"));
+			searchMap.put(k,clearXss(searchMap.get(k).toString()));
 			urlParams.append(k).append("=").append(searchMap.get(k)).append("&");
 		});
@@ -443,6 +448,23 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 		this.outString(response, content);
 	}
+	// 清除路径中的转义字符
+	private String clearXss(String value) {
+		if (value == null || "".equals(value)) {
+			return value;
+		}
+		value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
+		value = value.replaceAll("\\(", "&#40;").replace("\\)", "&#41;");
+		value = value.replaceAll("'", "&#39;");
+		value = value.replaceAll("eval\\((.*)\\)", "");
+		value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
+				"\"\"");
+		value = value.replace("script", "");
+		return value;
+	}
 	/**
 	 * 存储自定义模型字段和接口参数

--- a/src/main/java/net/mingsoft/cms/dao/IContentDao.xml
+++ b/src/main/java/net/mingsoft/cms/dao/IContentDao.xml
@@ -263,7 +263,7 @@
 			cms_content.id article_id,c.*
 			FROM cms_content
 			LEFT JOIN cms_category c ON content_category_id = c.id
-			where del=0
+			where cms_content.del=0
 			<if test="appId &gt; 0">
 				and cms_content.app_id = #{appId}
 			</if>

--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
 server:
  port: 8081
  servlet.session.timeout: P0DT60M0S #D天H小时M分钟S秒，字符T是紧跟在时分秒之前的，每个单位都必须由数字开始,且时分秒顺序不能乱
+#  ssl: #https证书配置 配置了之后只能通过https访问应用
+#    key-store: ms.pfx 证书文件
+#    key-store-password: 3MU9t9Cz 证书密码
 logging:
  level:
@@ -10,9 +13,7 @@ logging:
    path: log #会在项目的根目录下生成log目录，里面会生成对应的日期目录，日期目录下面生成日志压缩包备份文件,默认按每10M分割一个日志文件，例如：log/2020-01/app-2020-01-03-18.1.log.gz（表示2020年1月3号下午六点的第一个备份），也可以根据实际情况写绝对路径，例如：d:/log
 ms:
-  mstore:
+#  scheme: https #解决使用代理服务器代理应用时标签解析域名依旧为http的问题
-    http: http://store.new.mingsoft.net
-    host: store.new.mingsoft.net
  swagger:
    enable: true #启用swagger文档，生产的时候务必关掉
  manager:
@@ -66,6 +67,7 @@ spring:
    expose-spring-macro-helpers: true
    prefer-file-system-access: false
    template-loader-path: classpath:/WEB-INF/manager,classpath:/WEB-INF
+    #template-loader-path: file:WEB-INF/,file:WEB-INF/manager,classpath:/,classpath:/WEB-INF/manager,classpath:/WEB-INF 管理页面WEB-INF/manger单独配置在jar外面，修改部分ftl避免重新jar打包
    settings:
      template_update_delay: 1
      default_encoding: UTF-8

--- a/src/main/webapp/WEB-INF/manager/cms/category/index.ftl
+++ b/src/main/webapp/WEB-INF/manager/cms/category/index.ftl
@@ -42,7 +42,7 @@
 				</el-table-column>
                 <el-table-column label="标题" align="left" prop="categoryTitle">
                 </el-table-column>
-            <el-table-column label="属性" align="center" prop="categoryType" :formatter="categoryTypeFormat" width="70">
+            <el-table-column label="类型" align="center" prop="categoryType" :formatter="categoryTypeFormat" width="70">
            </el-table-column>
 			<el-table-column label="排序" align="center" prop="categorySort"  width="70">
 			</el-table-column>

--- a/src/main/webapp/WEB-INF/manager/index.ftl
+++ b/src/main/webapp/WEB-INF/manager/index.ftl
@@ -6,6 +6,7 @@
    <#include '/include/head-file.ftl'/>
    <script src="${base}/static/plugins/sockjs/1.4.0/sockjs.min.js"></script>
    <script src="${base}/static/plugins/stomp/2.3.3/stomp.min.js"></script>
+    <!-- 此部分是铭飞平台MStroe的客户端（MStore不在铭飞开源产品范围），如果不需要使用MStore可以删除掉 -->
    <script src="https://cdn.mingsoft.net/ms/1.0/store.umd.min.js"></script>
    <style>
        .to-ele {