mirror of
https://github.com/lkddi/nexusphp.git
synced 2026-04-24 03:57:22 +08:00
fix media info xss
This commit is contained in:
@@ -1673,3 +1673,11 @@ JS;
|
|||||||
\Nexus\Nexus::js("js/crypto-js.js", 'footer', true);
|
\Nexus\Nexus::js("js/crypto-js.js", 'footer', true);
|
||||||
\Nexus\Nexus::js($js, 'footer', false);
|
\Nexus\Nexus::js($js, 'footer', false);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function nexus_escape($data): array|string
|
||||||
|
{
|
||||||
|
if (is_array($data)) {
|
||||||
|
return array_map('nexus_escape', $data);
|
||||||
|
}
|
||||||
|
return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
|
||||||
|
}
|
||||||
|
|||||||
+5
-6
@@ -29,7 +29,6 @@ $row = mysql_fetch_array($res);
|
|||||||
if (user_can('torrentmanage') || $CURUSER["id"] == $row["owner"])
|
if (user_can('torrentmanage') || $CURUSER["id"] == $row["owner"])
|
||||||
$owned = 1;
|
$owned = 1;
|
||||||
else $owned = 0;
|
else $owned = 0;
|
||||||
|
|
||||||
$settingMain = get_setting('main');
|
$settingMain = get_setting('main');
|
||||||
if (!$row) {
|
if (!$row) {
|
||||||
stderr($lang_details['std_error'], $lang_details['std_no_torrent_id']);
|
stderr($lang_details['std_error'], $lang_details['std_no_torrent_id']);
|
||||||
@@ -308,20 +307,20 @@ JS;
|
|||||||
|
|
||||||
//technical info
|
//technical info
|
||||||
if ($settingMain['enable_technical_info'] == 'yes') {
|
if ($settingMain['enable_technical_info'] == 'yes') {
|
||||||
$technicalData = $row['technical_info'] ?? '';
|
$technicalData = nexus_escape($row['technical_info'] ?? '');
|
||||||
|
|
||||||
// 判断是否为BDINFO格式
|
// 判断是否为BDINFO格式
|
||||||
$isBdInfo = false;
|
$isBdInfo = false;
|
||||||
if (!empty($technicalData)) {
|
if (!empty($technicalData)) {
|
||||||
$firstLine = strtok($technicalData, "\n");
|
$firstLine = strtok($technicalData, "\n");
|
||||||
if (strpos($firstLine, 'DISC INFO') !== false
|
if (strpos($firstLine, 'DISC INFO') !== false
|
||||||
|| strpos($firstLine, 'Disc Title') !== false
|
|| strpos($firstLine, 'Disc Title') !== false
|
||||||
|| strpos($firstLine, 'Disc Label') !== false
|
|| strpos($firstLine, 'Disc Label') !== false
|
||||||
) {
|
) {
|
||||||
$isBdInfo = true;
|
$isBdInfo = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($isBdInfo) {
|
if ($isBdInfo) {
|
||||||
// 使用BdInfoExtra处理BDINFO格式
|
// 使用BdInfoExtra处理BDINFO格式
|
||||||
$technicalInfo = new \Nexus\Torrent\BdInfoExtra($technicalData);
|
$technicalInfo = new \Nexus\Torrent\BdInfoExtra($technicalData);
|
||||||
@@ -329,7 +328,7 @@ JS;
|
|||||||
// 使用TechnicalInformation处理MediaInfo格式
|
// 使用TechnicalInformation处理MediaInfo格式
|
||||||
$technicalInfo = new \Nexus\Torrent\TechnicalInformation($technicalData);
|
$technicalInfo = new \Nexus\Torrent\TechnicalInformation($technicalData);
|
||||||
}
|
}
|
||||||
|
|
||||||
$technicalInfoResult = $technicalInfo->renderOnDetailsPage();
|
$technicalInfoResult = $technicalInfo->renderOnDetailsPage();
|
||||||
if (!empty($technicalInfoResult)) {
|
if (!empty($technicalInfoResult)) {
|
||||||
tr($lang_functions['text_technical_info'], $technicalInfoResult, 1);
|
tr($lang_functions['text_technical_info'], $technicalInfoResult, 1);
|
||||||
|
|||||||
Reference in New Issue
Block a user