lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-24 03:57:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix media info xss

Browse Source
This commit is contained in:
xiaomlove
2025-12-15 19:35:37 +07:00
parent 88f2318699
commit d255499e83
2 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/globalfunctions.php
+8
View File
@@ -1673,3 +1673,11 @@ JS;
\Nexus\Nexus::js("js/crypto-js.js", 'footer', true); \Nexus\Nexus::js("js/crypto-js.js", 'footer', true);
\Nexus\Nexus::js($js, 'footer', false); \Nexus\Nexus::js($js, 'footer', false);
} }
function nexus_escape($data): array|string
{
if (is_array($data)) {
return array_map('nexus_escape', $data);
}
return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
}
public/details.php
+5 -6
View File
@@ -29,7 +29,6 @@ $row = mysql_fetch_array($res);
if (user_can('torrentmanage') || $CURUSER["id"] == $row["owner"]) if (user_can('torrentmanage') || $CURUSER["id"] == $row["owner"])
$owned = 1; $owned = 1;
else $owned = 0; else $owned = 0;
$settingMain = get_setting('main'); $settingMain = get_setting('main');
if (!$row) { if (!$row) {
stderr($lang_details['std_error'], $lang_details['std_no_torrent_id']); stderr($lang_details['std_error'], $lang_details['std_no_torrent_id']);
@@ -308,20 +307,20 @@ JS;
//technical info //technical info
if ($settingMain['enable_technical_info'] == 'yes') { if ($settingMain['enable_technical_info'] == 'yes') {
$technicalData = $row['technical_info'] ?? ''; $technicalData = nexus_escape($row['technical_info'] ?? '');
// 判断是否为BDINFO格式 // 判断是否为BDINFO格式
$isBdInfo = false; $isBdInfo = false;
if (!empty($technicalData)) { if (!empty($technicalData)) {
$firstLine = strtok($technicalData, "\n"); $firstLine = strtok($technicalData, "\n");
if (strpos($firstLine, 'DISC INFO') !== false if (strpos($firstLine, 'DISC INFO') !== false
|| strpos($firstLine, 'Disc Title') !== false || strpos($firstLine, 'Disc Title') !== false
|| strpos($firstLine, 'Disc Label') !== false || strpos($firstLine, 'Disc Label') !== false
) { ) {
$isBdInfo = true; $isBdInfo = true;
} }
} }
if ($isBdInfo) { if ($isBdInfo) {
// 使用BdInfoExtra处理BDINFO格式 // 使用BdInfoExtra处理BDINFO格式
$technicalInfo = new \Nexus\Torrent\BdInfoExtra($technicalData); $technicalInfo = new \Nexus\Torrent\BdInfoExtra($technicalData);
@@ -329,7 +328,7 @@ JS;
// 使用TechnicalInformation处理MediaInfo格式 // 使用TechnicalInformation处理MediaInfo格式
$technicalInfo = new \Nexus\Torrent\TechnicalInformation($technicalData); $technicalInfo = new \Nexus\Torrent\TechnicalInformation($technicalData);
} }
$technicalInfoResult = $technicalInfo->renderOnDetailsPage(); $technicalInfoResult = $technicalInfo->renderOnDetailsPage();
if (!empty($technicalInfoResult)) { if (!empty($technicalInfoResult)) {
tr($lang_functions['text_technical_info'], $technicalInfoResult, 1); tr($lang_functions['text_technical_info'], $technicalInfoResult, 1);