Skip to content

F
foc_manage
Commit 915254dc by 罗胜
Options

出路径遍历,高危修复

parent b2afbb18
Showing with 281 additions and 101 deletions
WebContent/WEB-INF/views/modules/airline/SailingFileForm.jsp
......@@ -24,6 +24,12 @@
$("#file").click();
}
$(document).ready(function() {
var fileInput = $('#file')[0];
var fileExtension = file.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
alert("请选择Excel格式的文件");
return;
}
$('#file').on('change', function(){
$('#form').ajaxForm(options).submit();
......@@ -77,7 +83,7 @@
<a href="${ctx}/airline/verify/list"><input id="btnCancel" class="btn" type="button" value="返回" /></a> </div>
</form:form>
<form style="display:none" id="form" action="dynamicFields.action?method=uploadFile" method="post" enctype="multipart/form-data">
<input type="file" name="file" id="file" value="" /><br/>
<input type="file" name="file" id="file" value="" accept=".xls,.xlsx"/><br/>
<input type="submit" value="确认提交">
</form>
......
WebContent/WEB-INF/views/modules/airline/contactsForm.jsp
......@@ -20,7 +20,9 @@
html += "<option value='" + data[i].id + "'>" + data[i].departName + "</option>"
}
}
$("#depart").append(html);
var domParser = new DOMParser();
var doc = domParser.parseFromString(html, 'text/html');
$("#depart").innerHTML(doc);
}
$("#depart").select2().val("${userProfileEntity.departId}").trigger("change");
});
......
WebContent/WEB-INF/views/modules/airline/verifyList.jsp
......@@ -34,12 +34,20 @@
}
$(document).ready(function(){
top.$.jBox.tip.mess=0;
$('#file').on('change', function(){
$('#form').ajaxForm(options).submit();
});
$("#btnImport").click(function(){
var fileInput = $('#form')[0];
var fileExtension = file.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"导入文件不能超过5M,仅允许导入“xls”或“xlsx”格式文件!"});
return;
}
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"导入文件不能超过5M,仅允许导入“xls”或“xlsx”格式文件!"});
});
......@@ -50,7 +58,7 @@
<div id="importBox" class="hide">
<form id="importForm" action="${ctx}/airline/verify/import" method="post" enctype="multipart/form-data"
class="form-search" style="padding-left:20px;text-align:center;" onsubmit="loading('正在导入,请稍等...');"><br/>
<input id="uploadFile" name="file" type="file" style="width:330px"/><br/><br/>
<input id="uploadFile" name="file" type="file" style="width:330px" accept=".xls,.xlsx"/><br/><br/>
<input id="btnImportSubmit" class="btn btn-primary" type="submit" value=" 导 入 "/>
<a href="${ctx}/airline/verify/import/template">下载模板</a>
</form>
......@@ -149,7 +157,7 @@
</table>
<div class="pagination">${page}</div>
<form style="display:none" id="form" action="dynamicFields.action?method=uploadFile" method="post" enctype="multipart/form-data">
<input type="file" name="file" id="file" value="" /><br/>
<input type="file" name="file" id="file" value="" accept=".xls,.xlsx"/><br/>
<input type="submit" value="确认提交">
</form>
......
WebContent/WEB-INF/views/modules/airline/verifyUpdateUserList.jsp
......@@ -2,7 +2,7 @@
<%@ include file="/WEB-INF/views/include/taglib.jsp" %>
<html>
<head>
<script src="${ctxStatic}/jquery-form/jquery-form.js" type="text/javascript"></script>
<script src="${ctxStatic}/jquery-form/jquery-form.js" type="text/javascript"></script>
<title>论证部门管理</title>
<meta name="decorator" content="default"/>
<script verify="text/javascript">
......@@ -13,44 +13,68 @@
$("#searchForm").submit();
return false;
}
var options = {
type: "POST",
url: urls,
dataType: 'json'
};
var url = "${ctx}/airline/sailingfile/upload";
var urls = url;
function upload(id) {
urls = url + "?id=" + id;
options = {
type: "POST",
url:urls,
dataType: 'json'
url: urls,
dataType: 'json',
success: function (data) {
window.location.href = '${ctx}/airline/verifyUpdateUser/list?message=成功';
}
};
var url="${ctx}/airline/sailingfile/upload";
var urls=url;
function upload(id){
urls=url+"?id="+id;
options = {
type: "POST",
url:urls,
dataType: 'json',
success:function(data){
window.location.href='${ctx}/airline/verifyUpdateUser/list?message=成功';
}
};
$("#file").click();
$("#file").click();
}
$(document).ready(function(){
top.$.jBox.tip.mess=0;
$('#file').on('change', function(){
$('#form').ajaxForm(options).submit();
$(document).ready(function () {
top.$.jBox.tip.mess = 0;
var fileInput = $('#file')[0];
var fileExtension = fileInput.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
$.jBox($("#importBox").html(), {
title: "导入数据", buttons: {"关闭": true},
bottomText: "仅允许导入“xls”或“xlsx”格式文件!"
});
$("#btnImport").click(function(){
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"导入文件不能超过5M,仅允许导入“xls”或“xlsx”格式文件!"});
return;
}
$('#file').on('change', function () {
$('#form').ajaxForm(options).submit();
});
$("#btnImport").click(function () {
var file = $('#uploadFile')[0];
var fileExtension = file.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
$.jBox($("#importBox").html(), {
title: "导入数据", buttons: {"关闭": true},
bottomText: "仅允许导入“xls”或“xlsx”格式文件!"
});
return;
}
$.jBox($("#importBox").html(), {
title: "导入数据", buttons: {"关闭": true},
bottomText: "导入文件不能超过5M,仅允许导入“xls”或“xlsx”格式文件!"
});
});
});
});
</script>
</head>
<body>
<div id="importBox" class="hide">
<form id="importForm" action="${ctx}/airline/verify/import" method="post" enctype="multipart/form-data"
class="form-search" style="padding-left:20px;text-align:center;" onsubmit="loading('正在导入,请稍等...');"><br/>
<input id="uploadFile" name="file" type="file" style="width:330px"/><br/><br/>
class="form-search" style="padding-left:20px;text-align:center;" onsubmit="loading('正在导入,请稍等...');">
<br/>
<input id="uploadFile" name="file" type="file" style="width:330px" accept=".xls,.xlsx"/><br/><br/>
<input id="btnImportSubmit" class="btn btn-primary" type="submit" value=" 导 入 "/>
<a href="${ctx}/airline/verify/import/template">下载模板</a>
</form>
......@@ -59,7 +83,8 @@
<li class="active"><a href="${ctx}/airline/verify/list">航线管理列表</a></li>
<li><a href="${ctx}/airline/verifyUpdateUser">论证单号修改展示列表</a></li>
</ul>
<form:form id="searchForm" modelAttribute="verifyUpdateUserEntity" action="${ctx}/airline/verifyUpdateUser/list" method="post"
<form:form id="searchForm" modelAttribute="verifyUpdateUserEntity" action="${ctx}/airline/verifyUpdateUser/list"
method="post"
class="breadcrumb form-search ">
<input id="pageNo" name="pageNo" type="hidden" value="${page.pageNo}"/>
<input id="pageSize" name="pageSize" type="hidden" value="${page.pageSize}"/>
......@@ -71,13 +96,13 @@
<li><label>修改人:</label>
<form:input path="operateUser" htmlEscape="false" maxlength="100" class="input-small"/>
</li>
<li><label>论证类型:</label> <form:select path="verifType" class="input-small">
<form:option value="" label="请选择" />
<form:options items="${fns:getDictList('vrf_verify_type')}"
itemLabel="label" itemValue="value" htmlEscape="false" />
</form:select>
</li>
<li class="btns">&nbsp;&nbsp;
<li><label>论证类型:</label> <form:select path="verifType" class="input-small">
<form:option value="" label="请选择"/>
<form:options items="${fns:getDictList('vrf_verify_type')}"
itemLabel="label" itemValue="value" htmlEscape="false"/>
</form:select>
</li>
<li class="btns">&nbsp;&nbsp;
<input id="btnSubmit" class="btn btn-primary" type="submit" value="查询" onclick="return page();"/>
</li>
<li class="clearfix"></li>
......@@ -89,24 +114,32 @@
<table id="contentTable" class="table table-striped table-bordered table-condensed">
<thead>
<tr>
<th>编号</th><th>论证单号</th><th>论证类型</th><th>机型</th><th>航线</th><th>修改人</th><th>修改时间</th><th>修改原因</th><th>原始单号</th>
<%-- <shiro:hasPermission name="vrf:verify:edit">
<th>操作</th>
</shiro:hasPermission></tr>--%>
<th>编号</th>
<th>论证单号</th>
<th>论证类型</th>
<th>机型</th>
<th>航线</th>
<th>修改人</th>
<th>修改时间</th>
<th>修改原因</th>
<th>原始单号</th>
<%-- <shiro:hasPermission name="vrf:verify:edit">
<th>操作</th>
</shiro:hasPermission></tr>--%>
</thead>
<tbody>
<c:forEach items="${page.list}" var="verify" varStatus="vs">
<tr>
<%--这里的序号与对应的数据不是绑定的--%>
<%--这里的序号与对应的数据不是绑定的--%>
<td>${page.pageSize*(page.pageNo-1)+vs.index+1}</td>
<td>${verify.verifNo}</td>
<td>${fns:getDictLabel(verify.verifType, 'vrf_verify_type', '')}</td>
<td>${verify.aircraft.typeName}</td>
<td>${verify.verifNo}</td>
<td>${fns:getDictLabel(verify.verifType, 'vrf_verify_type', '')}</td>
<td>${verify.aircraft.typeName}</td>
<td>${verify.airline}
<td>${verify.airline}
</td>
<td>${verify.operateUser}</td>
<td><fmt:formatDate value="${verify.operateTime}" type="both"/></td>
<td>${verify.operateUser}</td>
<td><fmt:formatDate value="${verify.operateTime}" type="both"/></td>
<td>${verify.reason}</td>
<td>${verify.originalId}</td>
......@@ -117,9 +150,10 @@
</tbody>
</table>
<div class="pagination">${page}</div>
<form style="display:none" id="form" action="dynamicFields.action?method=uploadFile" method="post" enctype="multipart/form-data">
<input type="file" name="file" id="file" value="" /><br/>
<input type="submit" value="确认提交">
<form style="display:none" id="form" action="dynamicFields.action?method=uploadFile" method="post"
enctype="multipart/form-data">
<input type="file" name="file" id="file" value="" accept=".xls,.xlsx"/><br/>
<input type="submit" value="确认提交">
</form>
......
WebContent/WEB-INF/views/modules/contact/airportBaseList.jsp
......@@ -16,6 +16,13 @@
top.$('.jbox-body .jbox-icon').css('top','55px');
});
$("#btnImport").click(function(){
var fileInput = $('#uploadFile')[0];
var fileExtension = fileInput.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"仅允许导入“xls”或“xlsx”格式文件!"});
return;
}
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"导入文件不能超过5M,仅允许导入“xls”或“xlsx”格式文件!"});
});
......@@ -93,13 +100,14 @@
<div id="importBox" class="hide">
<form id="importForm" action="${ctx}/contact/airportBase/import" method="post" enctype="multipart/form-data"
class="form-search" style="padding-left:20px;text-align:center;" onsubmit="loading('正在导入,请稍等...');"><br/>
<input id="uploadFile" name="file" type="file" style="width:330px"/><br/><br/>  
<input id="uploadFile" name="file" type="file" style="width:330px" accept=".xls,.xlsx"/><br/><br/>  
<input id="btnImportSubmit" class="btn btn-primary" type="submit" value=" 导 入 "/>
<a href="${ctx}/contact/airportBase/template">下载模板</a>
</form>
</div>
<ul class="nav nav-tabs">
<li class="active"><a href="${ctx}/contact/airportBase/list?pageNo=<%=request.getParameter("pageNo")%>&pageSize=<%=request.getParameter("pageSize")%>">基地列表</a></li>
<%-- <li class="active"><a href="${ctx}/contact/airportBase/list?pageNo=<%=request.getParameter("pageNo")%>&pageSize=<%=request.getParameter("pageSize")%>">基地列表</a></li>--%>
<li class="active"><a href="${ctx}/contact/airportBase/list?pageNo=${fn:escapeXml(pageNo)}&pageSize=${fn:escapeXml(pageSize)}基地列表</a></li>
<li><a href="${ctx}/contact/airportBase/form?id=${baseEntity.id}">
基地<shiro:hasPermission name="contact:airportBase:edit">${not empty baseEntity.id?'修改':'添加'}</shiro:hasPermission></a></li>
</ul>
......
WebContent/WEB-INF/views/modules/contact/airportList.jsp
......@@ -31,6 +31,13 @@
}
function importDialog() {
var fileInput = $('#uploadFile')[0];
var fileExtension = file.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"导入文件不能超过5M,仅允许导入“xls”或“xlsx”格式文件!"});
return;
}
/*$("#importFile").val("");
$("#importFile").trigger("click");*/
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
......@@ -74,7 +81,7 @@
<div id="importBox" class="hide">
<form id="importForm" action="${ctx}/contact/airport/batchImport" method="post" enctype="multipart/form-data"
class="form-search" style="padding-left:20px;text-align:center;" onsubmit="loading('正在导入,请稍等...');"><br/>
<input id="uploadFile" name="file" type="file" style="width:330px"/><br/><br/>
<input id="uploadFile" name="file" type="file" style="width:330px" accept=".xls,.xlsx'/><br/><br/>
<input id="btnImportSubmit" class="btn btn-primary" type="submit" value=" 导 入 "/>
<a href="${ctx}/contact/airport/batchImport/template">下载模板</a>
</form>
......
WebContent/WEB-INF/views/modules/contact/contactsList.jsp
......@@ -21,6 +21,13 @@
function importDialog() {
/*$("#importFile").val("");
$("#importFile").trigger("click");*/
var fileInput = $('#uploadFile')[0];
var fileExtension = fileInput.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"仅允许导入“xls”或“xlsx”格式文件!"});
return;
}
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"导入文件不能超过5M,仅允许导入“xls”或“xlsx”格式文件!"});
}
......@@ -118,7 +125,7 @@
<div id="importBox" class="hide">
<form id="importForm" action="${ctx}/contact/contacts/batchImport" method="post" enctype="multipart/form-data"
class="form-search" style="padding-left:20px;text-align:center;" onsubmit="loading('正在导入,请稍等...');"><br/>
<input id="uploadFile" name="file" type="file" style="width:330px"/><br/><br/>
<input id="uploadFile" name="file" type="file" style="width:330px" accept=".xls,.xlsx"/><br/><br/>
<input id="btnImportSubmit" class="btn btn-primary" type="submit" value=" 导 入 "/>
<a href="${ctx}/contact/contacts/batchImport/template">下载模板</a>
</form>
......
WebContent/WEB-INF/views/modules/contact/seatForm.jsp
......@@ -59,6 +59,12 @@
alert('超出允许上传的文件大小');
return;
}
var fileInput = $('#file')[0];
var fileExtension = fileInput.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
alert('非Excel格式不允许上传');
return;
}
$('#form').ajaxForm(options).submit();
});
......@@ -276,7 +282,7 @@
</div>
</form:form>
<form id="form" style="display:none" action="${ctx}/file/upload" method="post" enctype="multipart/form-data">
<input type="file" name="file" id="file" value="" /><br/>
<input type="file" name="file" id="file" value="" accept=".xls,.xlsx"/><br/>
<input type="submit" value="确认提交">
</form>
</body>
......
WebContent/WEB-INF/views/modules/contact/seatTypeForm.jsp
......@@ -15,7 +15,9 @@
for (var i = 0; i < data.length; i ++) {
html += "<option value='" + data[i].id + "'>" + data[i].name + "</option>"
}
$("#stationId").append(html);
var domParser = new DOMParser();
var doc = domParser.parseFromString(html, 'text/html');
$("#stationId").innerHTML(doc);
}
$("#stationId").select2().val('${seatTypeEntity.stationId}').trigger("change");
});
......
WebContent/WEB-INF/views/modules/contact/stationForm.jsp
......@@ -45,6 +45,12 @@
alert('超出允许上传的文件大小');
return;
}
var fileInput = $('#form')[0];
var fileExtension = file.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
alert('文件格式错误,请上传xls或xlsx格式的文件');
return;
}
$('#form').ajaxForm(options).submit();
});
......@@ -81,7 +87,9 @@
for (var i = 0; i < data.length; i ++) {
html += "<option value='" + data[i].airportIata + "'>" + data[i].airportIata+"----"+ data[i].cityName + "</option>"
}
$("#airportIata").append(html);
var domParser = new DOMParser();
var doc = domParser.parseFromString(html, 'text/html');
$("#airportIata").innerHTML(doc);
}
$("#airportIata").select2().val('${stationEntity.airportIata}').trigger("change");
});
......@@ -147,7 +155,7 @@
</div>
</form:form>
<form id="form" style="display:none" action="${ctx}/file/upload" method="post" enctype="multipart/form-data">
<input type="file" name="file" id="file" value="" /><br/>
<input type="file" name="file" id="file" value="" accept=".xls,.xlsx"/><br/>
<input type="submit" value="确认提交">
</form>
</body>
......
WebContent/WEB-INF/views/modules/finnr/delayCategoryList.jsp
......@@ -31,7 +31,9 @@
html += "<option value='" + data[i].id + "'>" + data[i].name + "</option>"
}
}
$("#parent").append(html);
var domParser = new DOMParser();
var doc = domParser.parseFromString(html, 'text/html');
$("#parent").innerHTML(doc);
$("#parent").val("${reParentId}").trigger("change");
}
});
......@@ -50,7 +52,9 @@
html += "<option value='" + data[i].id + "'>" + data[i].name + "</option>"
}
}
$("#id").append(html);
var domParser = new DOMParser();
var doc = domParser.parseFromString(html, 'text/html');
$("#id").innerHTML(doc);
$("#id").val("${reId}").trigger("change");
}
});
......
WebContent/WEB-INF/views/modules/finnr/delayRecordForm.jsp
......@@ -32,7 +32,9 @@
html += "<option value='" + data[i].id + "'>" + data[i].name + " ---- " + data[i].pName +"</option>"
}
}
$("#categoryId").append(html);
var domParser = new DOMParser();
var doc = domParser.parseFromString(html, 'text/html');
$("#categoryId").innerHTML(doc);
}
$("#categoryId").select2().val('${delayRecordEntity.categoryId}').trigger("change");
});
......
WebContent/WEB-INF/views/modules/sys/menuTree.jsp
......@@ -27,10 +27,10 @@
</script>
</head>
<body> --%>
<div class="accordion" id="menu-${param.parentId}"><c:set var="menuList" value="${fns:getMenuList()}"/><c:set var="firstMenu" value="true"/><c:forEach items="${menuList}" var="menu" varStatus="idxStatus"><c:if test="${menu.parent.id eq (not empty param.parentId ? param.parentId:1)&&menu.isShow eq '1'}">
<div class="accordion" id="menu-${fn:escapeXml(param.parentId)}"><c:set var="menuList" value="${fns:getMenuList()}"/><c:set var="firstMenu" value="true"/><c:forEach items="${menuList}" var="menu" varStatus="idxStatus"><c:if test="${menu.parent.id eq (not empty param.parentId ? param.parentId:1)&&menu.isShow eq '1'}">
<div class="accordion-group">
<div class="accordion-heading">
<a class="accordion-toggle" data-toggle="collapse" data-parent="#menu-${param.parentId}" data-href="#collapse-${menu.id}" href="#collapse-${menu.id}" title="${menu.remarks}"><i class="icon-chevron-${not empty firstMenu && firstMenu ? 'down' : 'right'}"></i>&nbsp;${menu.name}</a>
<a class="accordion-toggle" data-toggle="collapse" data-parent="#menu-${fn:escapeXml(param.parentId)}" data-href="#collapse-${menu.id}" href="#collapse-${menu.id}" title="${menu.remarks}"><i class="icon-chevron-${not empty firstMenu && firstMenu ? 'down' : 'right'}"></i>&nbsp;${menu.name}</a>
</div>
<div id="collapse-${menu.id}" class="accordion-body collapse ${not empty firstMenu && firstMenu ? 'in' : ''}">
<div class="accordion-inner">
......
WebContent/WEB-INF/views/modules/sys/menuTreeselect.jsp
......@@ -14,7 +14,8 @@
for(var i=0; i<menuTreeselectNodes.length; i++) {
menuTreeselect.expandNode(menuTreeselectNodes[i], true, false, false);
}//</c:if>
var menuTreeselectNode = menuTreeselect.getNodeByParam("id", '${parentId != '' ? parentId : cookie.menuId.value}');
var safeParentId = StringEscapeUtils.escapeHtml4(parentId != null && !parentId.isEmpty() ? parentId : cookie.get("menuId").getValue());
var menuTreeselectNode = menuTreeselect.getNodeByParam("id", safeParentId);
menuTreeselect.selectNode(menuTreeselectNode, true);
menuTreeselect.expandNode(menuTreeselectNode, true, false, false);
</script>
\ No newline at end of file
WebContent/WEB-INF/views/modules/sys/userList-jq.jsp
......@@ -16,6 +16,13 @@
top.$('.jbox-body .jbox-icon').css('top','55px');
});
$("#btnImport").click(function(){
var fileInput = $('#uploadFile')[0];
var fileExtension = fileInput.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"仅允许导入“xls”或“xlsx”格式文件!"});
return;
}
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"导入文件不能超过5M,仅允许导入“xls”或“xlsx”格式文件!"});
});
......@@ -33,7 +40,7 @@
<div id="importBox" class="hide">
<form id="importForm" action="${ctx}/sys/user/import" method="post" enctype="multipart/form-data"
class="form-search" style="padding-left:20px;text-align:center;" onsubmit="loading('正在导入,请稍等...');"><br/>
<input id="uploadFile" name="file" type="file" style="width:330px"/><br/><br/>  
<input id="uploadFile" name="file" type="file" style="width:330px" accept=".xls,.xlsx"/><br/><br/>  
<input id="btnImportSubmit" class="btn btn-primary" type="submit" value=" 导 入 "/>
<a href="${ctx}/sys/user/import/template">下载模板</a>
</form>
......
WebContent/WEB-INF/views/modules/sys/userList.jsp
......@@ -16,6 +16,13 @@
top.$('.jbox-body .jbox-icon').css('top','55px');
});
$("#btnImport").click(function(){
var fileInput = $('#uploadFile')[0];
var fileExtension = file.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx') {
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"导入文件不能超过5M,仅允许导入“xls”或“xlsx”格式文件!"});
return;
}
$.jBox($("#importBox").html(), {title:"导入数据", buttons:{"关闭":true},
bottomText:"导入文件不能超过5M,仅允许导入“xls”或“xlsx”格式文件!"});
});
......@@ -33,7 +40,7 @@
<div id="importBox" class="hide">
<form id="importForm" action="${ctx}/sys/user/import" method="post" enctype="multipart/form-data"
class="form-search" style="padding-left:20px;text-align:center;" onsubmit="loading('正在导入,请稍等...');"><br/>
<input id="uploadFile" name="file" type="file" style="width:330px"/><br/><br/>  
<input id="uploadFile" name="file" type="file" style="width:330px" accept=".xls,.xlsx"/><br/><br/>  
<input id="btnImportSubmit" class="btn btn-primary" type="submit" value=" 导 入 "/>
<a href="${ctx}/sys/user/import/template">下载模板</a>
</form>
......
WebContent/WEB-INF/views/modules/verify/documentForm.jsp
......@@ -16,6 +16,13 @@
},
submitHandler: function(form){
loading('正在提交,请稍等...');
var fileInput = $('#form')[0];
var fileExtension = file.name.split('.').pop().toLowerCase();
if (fileExtension !== 'xls' && fileExtension !== 'xlsx'&& fileExtension !== 'doc'
&& fileExtension !== 'docx'&& fileExtension !== 'pdf') {
alert('请上传正确的文件格式');
return;
}
form.submit();
},
errorContainer: "#messageBox",
......@@ -51,7 +58,7 @@
<div class="control-group">
<label class="control-label">上传资料:</label>
<div class="controls">
<input type="file" name="file" id="file" value="" /><br/>
<input type="file" name="file" id="file" value="" accept=".xls,.xlsx,.doc,.docx,.pdf"/><br/>
</div>
</div>
<div class="form-actions">
......
src/com/baidu/ueditor/core/ActionEnter.java
......@@ -4,6 +4,7 @@ import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import cn.hutool.http.HtmlUtil;
import com.baidu.ueditor.define.ActionMap;
import com.baidu.ueditor.define.AppInfo;
import com.baidu.ueditor.define.BaseState;
......@@ -36,7 +37,7 @@ public class ActionEnter {
public String exec () {
String callbackName = this.request.getParameter("callback");
callbackName= HtmlUtil.cleanHtmlTag(callbackName);
if ( callbackName != null ) {
if ( !validCallbackName( callbackName ) ) {
......
src/com/baidu/ueditor/upload/BinaryUploader.java
package com.baidu.ueditor.upload;
import cn.hutool.core.util.StrUtil;
import com.baidu.ueditor.core.PathFormat;
import com.baidu.ueditor.define.AppInfo;
import com.baidu.ueditor.define.BaseState;
......@@ -10,9 +11,7 @@ import com.ejweb.core.utils.FileManipulation;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.*;
import javax.servlet.http.HttpServletRequest;
......@@ -21,9 +20,22 @@ import org.apache.commons.fileupload.FileItemStream;
import org.apache.commons.fileupload.FileUploadException;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.commons.io.FilenameUtils;
public class BinaryUploader {
private static Map<String, String> extMap = new HashMap<String, String>();
public BinaryUploader() {
// 其中images,flashs,medias,files,对应文件夹名称,对应dirName
// key文件夹名称
// value该文件夹内可以上传文件的后缀名
extMap.put("images", "gif,jpg,jpeg,png,bmp");
extMap.put("flashs", "swf,flv");
extMap.put("medias", "swf,flv,mp3,wav,wma,wmv,mid,avi,mpg,asf,rm,rmvb");
extMap.put("files", "doc,docx,xls,xlsx,ppt,htm,html,txt,zip,rar,gz,bz2");
}
public static final State save(HttpServletRequest request,
Map<String, Object> conf) {
FileItemStream fileStream = null;
......@@ -45,7 +57,22 @@ public class BinaryUploader {
while (iterator.hasNext()) {
fileStream = iterator.next();
try {
String fileName = new String(fileStream.getName().getBytes("ISO-8859-1"), "UTF-8");
String extension = FilenameUtils.getExtension(fileName).toLowerCase();
List<Boolean> list1=new ArrayList<>();
for (Map.Entry<String, String> entry : extMap.entrySet()) {
String value = entry.getValue();
if (!StrUtil.contains(value, extension)) {
list1.add(false);
}
}
if(list1.size()==extMap.entrySet().size()){
throw new Exception("上传文件扩展名是不允许的扩展名格式。");
}
} catch (Exception e) {
return new BaseState(false,e.getMessage());
}
if (!fileStream.isFormField())
break;
fileStream = null;
......
src/com/ejweb/core/utils/UploadUtils.java
......@@ -2,6 +2,7 @@ package com.ejweb.core.utils;
import java.io.File;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
......@@ -14,10 +15,12 @@ import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import cn.hutool.core.util.StrUtil;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.FileUploadException;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.commons.io.FilenameUtils;
/**
* 文件上传工具类
......@@ -215,6 +218,22 @@ public class UploadUtils {
Map<String, String> fields = new HashMap<String, String>();
while (iter.hasNext()) {
FileItem item = iter.next();
try {
String fileName = new String(item.getName().getBytes("ISO-8859-1"), "UTF-8");
String extension = FilenameUtils.getExtension(fileName).toLowerCase();
List<Boolean> list1=new ArrayList<>();
for (Map.Entry<String, String> entry : extMap.entrySet()) {
String value = entry.getValue();
if (!StrUtil.contains(value, extension)) {
list1.add(false);
}
}
if(list1.size()==extMap.entrySet().size()){
throw new Exception("上传文件扩展名是不允许的扩展名格式。");
}
} catch (Exception e) {
return map;
}
// 处理所有表单元素和文件域表单元素
if (item.isFormField()) {
String name = item.getFieldName();
......
src/com/ejweb/modules/mail/web/MailController.java
/**
*
*
*/
package com.ejweb.modules.mail.web;
......@@ -10,6 +10,7 @@ import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
......@@ -30,14 +31,15 @@ import com.ejweb.modules.mail.service.MailService;
* @team IT Team
* @author zhanglg
* @version 1.0
* @time 2016年10月9日
* @time 2016年10月9日
*/
@Controller
@RequestMapping(value = "${adminPath}/mail/mail")
public class MailController extends BaseController {
@Autowired
private MailService mailService;
@ModelAttribute
public MailEntity get(@RequestParam(required = false) String value) {
if (StringUtils.isNotBlank(value)) {
......@@ -46,20 +48,21 @@ public class MailController extends BaseController {
return new MailEntity();
}
}
@RequiresPermissions("vrf:mail:view")
@RequestMapping(value = { "list", "" })
@RequestMapping(value = {"list", ""})
public String list(MailEntity mailEntity, HttpServletRequest request, HttpServletResponse response,
Model model) {
List<MailEntity> list = mailService.getList( mailEntity);
Model model) {
List<MailEntity> list = mailService.getList(mailEntity);
model.addAttribute("list", list);
return "modules/mail/mailList";
}
@RequiresPermissions("vrf:mail:edit")
@RequestMapping(value = "form")
@RequestMapping(value = "form")
public String form(MailEntity mailEntity, HttpServletRequest request, HttpServletResponse response,
Model model) {
List<MailInfoEntity> list = mailService.findlist( mailEntity);
Model model) {
List<MailInfoEntity> list = mailService.findlist(mailEntity);
model.addAttribute("label", mailEntity.getLabel());
model.addAttribute("value", mailEntity.getValue());
model.addAttribute("list", list);
......@@ -67,17 +70,18 @@ public class MailController extends BaseController {
}
@RequiresPermissions("vrf:mail:edit")
@RequestMapping(value = "getmail")
public String getmail( HttpServletRequest request,HttpServletResponse response, RedirectAttributes redirectAttributes) {
String name= request.getParameter("name");
String mail = mailService.getmail(name);
try {
PrintWriter out = response.getWriter();
out.print(mail);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return null;
@RequestMapping(value = "getmail")
public String getmail(HttpServletRequest request, HttpServletResponse response, RedirectAttributes redirectAttributes) {
String name = request.getParameter("name");
String mail = mailService.getmail(name);
try {
PrintWriter out = response.getWriter();
String escapedMail = StringEscapeUtils.escapeHtml4(mail);
out.print(escapedMail);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return null;
}
}
src/com/ejweb/modules/sys/web/MenuController.java
......@@ -8,6 +8,8 @@ import java.util.Map;
import javax.servlet.http.HttpServletResponse;
import cn.hutool.core.util.StrUtil;
import cn.hutool.http.HtmlUtil;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
......@@ -26,6 +28,7 @@ import com.ejweb.core.base.BaseController;
import com.ejweb.modules.sys.entity.Menu;
import com.ejweb.modules.sys.service.SystemService;
import com.ejweb.modules.sys.utils.UserUtils;
import org.springframework.web.util.HtmlUtils;
/**
* 菜单Controller
......@@ -156,6 +159,10 @@ public class MenuController extends BaseController {
@ResponseBody
@RequestMapping(value = "treeData")
public List<Map<String, Object>> treeData(@RequestParam(required=false) String extId,@RequestParam(required=false) String isShowHide, HttpServletResponse response) {
if(StrUtil.isNotBlank(extId)){
extId= HtmlUtil.escape(extId);
}
List<Map<String, Object>> mapList = Lists.newArrayList();
List<Menu> list = systemService.findAllMenu();
for (int i=0; i<list.size(); i++){
......
src/com/ejweb/modules/ueditor/web/UeditorAction.java
......@@ -6,12 +6,16 @@ package com.ejweb.modules.ueditor.web;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import cn.hutool.core.util.EscapeUtil;
import cn.hutool.core.util.StrUtil;
import cn.hutool.http.HtmlUtil;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import com.baidu.ueditor.core.ActionEnter;
import com.baidu.ueditor.define.ActionMap;
import com.ejweb.core.conf.GConstants;
import org.springframework.web.util.HtmlUtils;
/**
*
......@@ -35,8 +39,9 @@ public class UeditorAction {
ActionMap.mapping.put("config", ActionMap.CONFIG);
// 上传文件
ActionMap.mapping.put("uploadfile", ActionMap.UPLOAD_FILE);
ActionEnter actionEnter = new ActionEnter(request, rootPath);
response.getWriter().write(actionEnter.exec());
ActionEnter actionEnter = new ActionEnter(request, rootPath);
String exec = actionEnter.exec();
response.getWriter().write( EscapeUtil.escape(exec));
} catch (Exception e) {
e.printStackTrace();
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment