Skip to content

Commit 16c3143

Browse files
aberter0x3faberter0x3f
committed
fix(web): Unsafe CDN and Referrer-Policy fix
- close #97
1 parent 4d6362a commit 16c3143

File tree

4 files changed

+46
-52
lines changed

4 files changed

+46
-52
lines changed

web/app/controllers/subdomain/blog/blog_write.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<?php
22
requirePHPLib('form');
3-
3+
44
if (!UOJContext::hasBlogPermission()) {
55
become403Page();
66
}
@@ -11,7 +11,7 @@
1111
} else {
1212
$blog = DB::selectFirst("select * from blogs where poster = '".UOJContext::user()['username']."' and type = 'B' and is_draft = true");
1313
}
14-
14+
1515
$blog_editor = new UOJBlogEditor();
1616
$blog_editor->name = 'blog';
1717
if ($blog) {
@@ -36,14 +36,14 @@
3636
} else {
3737
$blog_editor->blog_url = null;
3838
}
39-
39+
4040
function updateBlog($id, $data) {
4141
DB::update("update blogs set title = '".DB::escape($data['title'])."', content = '".DB::escape($data['content'])."', content_md = '".DB::escape($data['content_md'])."', is_hidden = {$data['is_hidden']} where id = {$id}");
4242
}
4343
function insertBlog($data) {
4444
DB::insert("insert into blogs (title, content, content_md, poster, is_hidden, is_draft, post_time) values ('".DB::escape($data['title'])."', '".DB::escape($data['content'])."', '".DB::escape($data['content_md'])."', '".Auth::id()."', {$data['is_hidden']}, {$data['is_draft']}, now())");
4545
}
46-
46+
4747
$blog_editor->save = function($data) {
4848
global $blog;
4949
$ret = array();
@@ -77,12 +77,12 @@ function insertBlog($data) {
7777
}
7878
return $ret;
7979
};
80-
80+
8181
$blog_editor->runAtServer();
8282
?>
8383
<?php echoUOJPageHeader('写博客') ?>
8484
<div class="text-right">
85-
<a href="http://uoj.ac/blog/7">这玩意儿怎么用?</a>
85+
<a href="http://uoj.ac/blog/7" target="_blank" rel="noopener noreferrer">这玩意儿怎么用?</a>
8686
</div>
8787
<?php $blog_editor->printHTML() ?>
8888
<?php echoUOJPageFooter() ?>

web/app/controllers/subdomain/blog/slide_write.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<?php
22
requirePHPLib('form');
3-
3+
44
if (!UOJContext::hasBlogPermission()) {
55
become403Page();
66
}
@@ -11,7 +11,7 @@
1111
} else {
1212
$blog = DB::selectFirst("select * from blogs where poster = '".UOJContext::user()['username']."' and type = 'S' and is_draft = true");
1313
}
14-
14+
1515
$blog_editor = new UOJBlogEditor();
1616
$blog_editor->type = 'slide';
1717
$blog_editor->name = 'blog';
@@ -37,14 +37,14 @@
3737
} else {
3838
$blog_editor->blog_url = null;
3939
}
40-
40+
4141
function updateBlog($id, $data) {
4242
DB::update("update blogs set title = '".DB::escape($data['title'])."', content = '".DB::escape($data['content'])."', content_md = '".DB::escape($data['content_md'])."', is_hidden = {$data['is_hidden']} where id = {$id}");
4343
}
4444
function insertSlide($data) {
4545
DB::insert("insert into blogs (type, title, content, content_md, poster, is_hidden, is_draft, post_time) values ('S', '".DB::escape($data['title'])."', '".DB::escape($data['content'])."', '".DB::escape($data['content_md'])."', '".Auth::id()."', {$data['is_hidden']}, {$data['is_draft']}, now())");
4646
}
47-
47+
4848
$blog_editor->save = function($data) {
4949
global $blog;
5050
$ret = array();
@@ -74,12 +74,12 @@ function insertSlide($data) {
7474
}
7575
return $ret;
7676
};
77-
77+
7878
$blog_editor->runAtServer();
7979
?>
8080
<?php echoUOJPageHeader('写幻灯片') ?>
8181
<div class="text-right">
82-
<a href="http://uoj.ac/blog/75">这玩意儿怎么用?</a>
82+
<a href="http://uoj.ac/blog/75" target="_blank" rel="noopener noreferrer">这玩意儿怎么用?</a>
8383
</div>
8484
<?php $blog_editor->printHTML() ?>
8585
<?php echoUOJPageFooter() ?>

web/app/views/page-header.php

Lines changed: 30 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
$new_user_msg_num = DB::selectCount("select count(*) from user_msg where receiver = '".Auth::id()."' and read_time is null");
33
$new_system_msg_num = DB::selectCount("select count(*) from user_system_msg where receiver = '".Auth::id()."' and read_time is null");
44
$new_msg_tot = $new_user_msg_num + $new_system_msg_num;
5-
5+
66
if ($new_user_msg_num == 0) {
77
$new_user_msg_num_html = '';
88
} else {
@@ -18,7 +18,7 @@
1818
} else {
1919
$new_msg_tot_html = '<sup><span class="badge badge-pill badge-secondary">'.$new_msg_tot.'</span></sup>';
2020
}
21-
21+
2222
if (!isset($PageMainTitle)) {
2323
$PageMainTitle = UOJConfig::$data['profile']['oj-name'];
2424
}
@@ -38,7 +38,7 @@
3838
<meta name="robots" content="noindex, nofollow" />
3939
<?php endif ?>
4040
<title><?= isset($PageTitle) ? $PageTitle : UOJConfig::$data['profile']['oj-name-short'] ?> - <?= $PageMainTitle ?></title>
41-
41+
4242
<script type="text/javascript">uojHome = '<?= HTML::url('/') ?>'</script>
4343

4444
<!-- Bootstrap core CSS -->
@@ -48,48 +48,48 @@
4848

4949
<!-- Custom styles for this template -->
5050
<?= HTML::css_link('/css/uoj-theme.css?v=2.3333') ?>
51-
51+
5252
<!-- jQuery (necessary for Bootstrap\'s JavaScript plugins) -->
5353
<?= HTML::js_src('/js/jquery.min.js') ?>
54-
54+
5555
<!-- jQuery autosize -->
5656
<?= HTML::js_src('/js/jquery.autosize.min.js') ?>
5757
<script type="text/javascript">
5858
$(document).ready(function() {
5959
$('textarea').autosize();
6060
});
6161
</script>
62-
62+
6363
<!-- jQuery cookie -->
6464
<?= HTML::js_src('/js/jquery.cookie.min.js') ?>
65-
65+
6666
<!-- jQuery modal -->
6767
<?= HTML::js_src('/js/jquery.modal.js') ?>
68-
68+
6969
<?php if (isset($REQUIRE_LIB['tagcanvas'])): ?>
7070
<!-- jQuery tag canvas -->
7171
<?= HTML::js_src('/js/jquery.tagcanvas.min.js') ?>
7272
<?php endif ?>
73-
73+
7474
<!-- Include all compiled plugins (below), or include individual files as needed -->
7575
<?= HTML::js_src('/js/popper.min.js?v=2019.5.31') ?>
7676
<?= HTML::js_src('/js/bootstrap.min.js?v=2019.5.31') ?>
77-
77+
7878
<!-- Color converter -->
7979
<?= HTML::js_src('/js/color-converter.min.js') ?>
80-
80+
8181
<!-- uoj -->
8282
<?= HTML::js_src('/js/uoj.js?v=2017.01.01') ?>
83-
83+
8484
<!-- readmore -->
8585
<?= HTML::js_src('/js/readmore/readmore.min.js') ?>
86-
86+
8787
<!-- LAB -->
8888
<?= HTML::js_src('/js/LAB.min.js') ?>
8989

9090
<!-- favicon -->
9191
<link rel="shortcut icon" href="<?= HTML::url('/images/favicon.ico') ?>" />
92-
92+
9393
<?php if (isset($REQUIRE_LIB['blog-editor'])): ?>
9494
<!-- UOJ blog editor -->
9595
<?php $REQUIRE_LIB['jquery.hotkeys'] = '' ?>
@@ -110,7 +110,7 @@
110110
<?= HTML::js_src('/js/codemirror/mode/clike/clike.js') ?>
111111
<?= HTML::js_src('/js/codemirror/mode/pascal/pascal.js') ?>
112112
<?php endif ?>
113-
113+
114114
<?php if (isset($REQUIRE_LIB['slide-editor'])): ?>
115115
<!-- UOJ slide editor -->
116116
<?= HTML::css_link('/js/codemirror/lib/codemirror.css') ?>
@@ -120,24 +120,24 @@
120120
<?= HTML::js_src('/js/codemirror/addon/mode/overlay.js') ?>
121121
<?= HTML::js_src('/js/codemirror/addon/selection/active-line.js') ?>
122122
<?php endif ?>
123-
123+
124124
<?php if (isset($REQUIRE_LIB['md5'])): ?>
125125
<!-- MD5 -->
126126
<?= HTML::js_src('/js/md5.min.js') ?>
127127
<?php endif ?>
128-
128+
129129
<?php if (isset($REQUIRE_LIB['dialog'])): ?>
130130
<!-- Bootstrap dialog -->
131131
<?= HTML::css_link('/css/bootstrap-dialog.min.css') ?>
132132
<?= HTML::js_src('/js/bootstrap-dialog.min.js') ?>
133133
<?php endif ?>
134-
134+
135135
<?php if (isset($REQUIRE_LIB['switch'])): ?>
136136
<!-- Bootstrap switch -->
137137
<?= HTML::css_link('/css/bootstrap-switch.min.css') ?>
138138
<?= HTML::js_src('/js/bootstrap-switch.min.js') ?>
139139
<?php endif ?>
140-
140+
141141
<?php if (isset($REQUIRE_LIB['mathjax'])): ?>
142142
<!-- MathJax -->
143143
<script type="text/x-mathjax-config">
@@ -152,14 +152,14 @@
152152
}
153153
});
154154
</script>
155-
<script src="//cdn.bootcss.com/mathjax/2.7.7/MathJax.js?config=TeX-AMS_HTML"></script>
155+
<script src="https://cdn.jsdelivr.net/npm/mathjax@2.7.7/MathJax.js?config=TeX-AMS_HTML"></script>
156156
<?php endif ?>
157-
157+
158158
<?php if (isset($REQUIRE_LIB['jquery.form'])): ?>
159159
<!-- jquery form -->
160160
<?= HTML::js_src('/js/jquery.form.min.js') ?>
161161
<?php endif ?>
162-
162+
163163
<?php if (isset($REQUIRE_LIB['jquery.hotkeys'])): ?>
164164
<!-- jquery hotkeys -->
165165
<?= HTML::js_src('/js/jquery.hotkeys.js') ?>
@@ -174,31 +174,31 @@
174174
$REQUIRE_LIB['colorhelpers'] = "";
175175
?>
176176
<?php endif ?>
177-
177+
178178
<?php if (isset($REQUIRE_LIB['colorhelpers'])): ?>
179179
<!-- colorhelpers -->
180180
<?= HTML::js_src('/js/jquery.colorhelpers.min.js') ?>
181181
<?php endif ?>
182-
182+
183183
<?php if (isset($REQUIRE_LIB['morris'])): ?>
184184
<!-- morris -->
185185
<?= HTML::js_src('/js/morris.min.js') ?>
186186
<?= HTML::css_link('/css/morris.css') ?>
187187
<?php $REQUIRE_LIB['raphael'] = "" ?>
188188
<?php endif ?>
189-
189+
190190
<?php if (isset($REQUIRE_LIB['raphael'])): ?>
191191
<!-- raphael -->
192192
<?= HTML::js_src('/js/raphael.min.js') ?>
193193
<?php endif ?>
194-
194+
195195
<?php if (isset($REQUIRE_LIB['hljs'])): ?>
196196
<!-- hljs -->
197197
<?= HTML::css_link('/css/highlight_github.css') ?>
198198
<?= HTML::js_src('/js/highlight.min.js') ?>
199199
<script type="text/javascript">$(document).ready(function(){hljs.highlightAll()})</script>
200200
<?php endif ?>
201-
201+
202202
<?php if (isset($REQUIRE_LIB['ckeditor'])): ?>
203203
<!-- ckeditor -->
204204
<?= HTML::js_src('/js/ckeditor/ckeditor.js') ?>
@@ -214,12 +214,6 @@
214214
<?= HTML::js_src('/js/base64.min.js') ?>
215215
<?php endif ?>
216216

217-
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
218-
<!--[if lt IE 9]>
219-
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
220-
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
221-
<![endif]-->
222-
223217
<script type="text/javascript">
224218
before_window_unload_message = null;
225219
$(window).on('beforeunload', function() {
@@ -228,7 +222,7 @@
228222
}
229223
});
230224
</script>
231-
225+
232226
<?php if (UOJConfig::$data['switch']['web-analytics']): ?>
233227
<script>var _hmt = _hmt || [];(function() {var hm = document.createElement("script");hm.src = "//hm.baidu.com/hm.js?bbd5ae87bf89e087603a1988103688ff";var s = document.getElementsByTagName("script")[0];s.parentNode.insertBefore(hm, s);})();</script>
234228
<?php endif ?>
@@ -261,8 +255,8 @@
261255
<h1 class="d-none d-sm-block"><a href="<?= HTML::url('/') ?>"><img src="<?= HTML::url('/images/logo_small.png') ?>" alt="Logo" class="img-rounded" style="width:39px; height:39px;" /></a> <?= $PageMainTitle ?></h1>
262256
<h1 class="d-block d-sm-none"><?= $PageMainTitleOnSmall ?></h1>
263257
</div>
264-
258+
265259
<?php uojIncludeView($PageNav) ?>
266260
<?php endif ?>
267-
261+
268262
<div class="uoj-content">

web/app/views/slide.php

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,12 @@
22
$content_p = strpos($content, "\n");
33
$slide_config = substr($content, 0, $content_p);
44
$slide_content = substr($content, $content_p + 1);
5-
5+
66
$slide_config = json_decode($slide_config, true);
77
if ($slide_config === null) {
88
die('error');
99
}
10-
10+
1111
if (!isset($slide_config['theme'])) {
1212
$slide_config['theme'] = 'moon';
1313
}
@@ -60,9 +60,9 @@
6060
help: true,
6161

6262
transition: 'slide',
63-
63+
6464
math: {
65-
mathjax: '//cdn.bootcss.com/mathjax/2.6.0/MathJax.js',
65+
mathjax: 'https://cdn.jsdelivr.net/npm/[email protected]/MathJax.js',
6666
config: 'TeX-AMS_HTML-full'
6767
},
6868

0 commit comments

Comments
 (0)