lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-24 03:57:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix media info xss

Browse Source
This commit is contained in:
xiaomlove
2025-12-15 19:35:37 +07:00
parent 88f2318699
commit d255499e83
2 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/globalfunctions.php
+8
View File
@@ -1673,3 +1673,11 @@ JS;
\Nexus\Nexus::js("js/crypto-js.js", 'footer', true); \Nexus\Nexus::js("js/crypto-js.js", 'footer', true);
\Nexus\Nexus::js($js, 'footer', false); \Nexus\Nexus::js($js, 'footer', false);
} }
function nexus_escape($data): array|string
{
if (is_array($data)) {
return array_map('nexus_escape', $data);
}
return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
}
public/details.php
+1 -2
View File
@@ -29,7 +29,6 @@ $row = mysql_fetch_array($res);
if (user_can('torrentmanage') || $CURUSER["id"] == $row["owner"]) if (user_can('torrentmanage') || $CURUSER["id"] == $row["owner"])
$owned = 1; $owned = 1;
else $owned = 0; else $owned = 0;
$settingMain = get_setting('main'); $settingMain = get_setting('main');
if (!$row) { if (!$row) {
stderr($lang_details['std_error'], $lang_details['std_no_torrent_id']); stderr($lang_details['std_error'], $lang_details['std_no_torrent_id']);
@@ -308,7 +307,7 @@ JS;
//technical info //technical info
if ($settingMain['enable_technical_info'] == 'yes') { if ($settingMain['enable_technical_info'] == 'yes') {
$technicalData = $row['technical_info'] ?? ''; $technicalData = nexus_escape($row['technical_info'] ?? '');
// 判断是否为BDINFO格式 // 判断是否为BDINFO格式
$isBdInfo = false; $isBdInfo = false;