Fix XSS vulnerability (#6)

baijunyao · baijunyao · commit 3254d6c3ca37 · 2021-12-06T23:55:19.000+08:00
diff --git a/ThinkPHP/Common/functions.php b/ThinkPHP/Common/functions.php
@@ -1033,24 +1033,31 @@ function is_ssl() {
  * @param string $msg 重定向前的提示信息
  * @return void
  */
-function redirect($url, $time=0, $msg='') {
+function redirect($url, $time = 0, $msg = '')
+{
     //多行URL地址支持
-    $url        = str_replace(array("\n", "\r"), '', $url);
-    if (empty($msg))
-        $msg    = "系统将在{$time}秒之后自动跳转到{$url}！";
+    $url = str_replace(array("\n", "\r"), '', $url);
+    $url = htmlspecialchars(strip_tags($url), ENT_QUOTES, 'UTF-8', false);
+
+    if (empty($msg)) {
+        $msg = "系统将在{$time}秒之后自动跳转到{$url}！";
+    }
+
     if (!headers_sent()) {
         // redirect
         if (0 === $time) {
             header('Location: ' . $url);
         } else {
             header("refresh:{$time};url={$url}");
-            echo($msg);
+            echo ($msg);
         }
         exit();
     } else {
-        $str    = "<meta http-equiv='Refresh' content='{$time};URL={$url}'>";
-        if ($time != 0)
+        $str = "<meta http-equiv='Refresh' content='{$time};URL={$url}'>";
+        if (0 != $time) {
             $str .= $msg;
+        }
+
         exit($str);
     }
 }
diff --git a/ThinkPHP/Mode/Api/functions.php b/ThinkPHP/Mode/Api/functions.php
@@ -689,24 +689,31 @@ function dump($var, $echo=true, $label=null, $strict=true) {
  * @param string $msg 重定向前的提示信息
  * @return void
  */
-function redirect($url, $time=0, $msg='') {
+function redirect($url, $time = 0, $msg = '')
+{
     //多行URL地址支持
-    $url        = str_replace(array("\n", "\r"), '', $url);
-    if (empty($msg))
-        $msg    = "系统将在{$time}秒之后自动跳转到{$url}！";
+    $url = str_replace(array("\n", "\r"), '', $url);
+    $url = htmlspecialchars(strip_tags($url), ENT_QUOTES, 'UTF-8', false);
+
+    if (empty($msg)) {
+        $msg = "系统将在{$time}秒之后自动跳转到{$url}！";
+    }
+
     if (!headers_sent()) {
         // redirect
         if (0 === $time) {
             header('Location: ' . $url);
         } else {
             header("refresh:{$time};url={$url}");
-            echo($msg);
+            echo ($msg);
         }
         exit();
     } else {
-        $str    = "<meta http-equiv='Refresh' content='{$time};URL={$url}'>";
-        if ($time != 0)
+        $str = "<meta http-equiv='Refresh' content='{$time};URL={$url}'>";
+        if (0 != $time) {
             $str .= $msg;
+        }
+
         exit($str);
     }
 }
@@ -1106,4 +1113,4 @@ function think_filter(&$value){
     if(preg_match('/^(EXP|NEQ|GT|EGT|LT|ELT|OR|XOR|LIKE|NOTLIKE|NOT BETWEEN|NOTBETWEEN|BETWEEN|NOTIN|NOT IN|IN)$/i',$value)){
         $value .= ' ';
     }
-}
+}
