phpwind 9.x模版编辑时选择自定HTML模块，输入PHP可执行问题

前台模版编辑时，如选择自定HTML模块时，输入php，js语句时将被执行，如下图

这本来是方便二次开发使用，但管理员在授权不慎时容易给他人可趁之机写入非法php语句，就解决方法如下：

1、如你需要此功能，那么除管理员外，不要给别人赋予模版编辑权限，设置路径是：“用户组管理--管理组--管理权限--门户权限”，设成“无作权限”即可

2、如果你不需要此功能，请按如下方法修改代码：

找到src/application/design/controller/PropertyController.php

找到

public function doaddAction() {

在这个方法里找到

if ($property['limit'] > 200) $this->showError('DESIGN:maxlimit.error');

在这句上头添加一句：

isset($property['html']) && $property['html'] = $this->_getDesignService()->filterTemplate($property['html']);

完整方法如下：

public function doaddAction() {

$struct = $this->getInput('struct','post');

$pageid = $this->getInput('pageid','post');

$model = $this->getInput('model','post');

if (!$model || $pageid <1) $this->showError('operate.fail');

Wekit::load('design.PwDesignPermissions');

$permissions = $this->_getPermissionsService()->getPermissionsForPage($this->loginUser->uid, $pageid);

if ($permissions < PwDesignPermissions::IS_DESIGN ) $this->showError("DESIGN:permissions.fail");

Wind::import('SRV:design.bo.PwDesignModelBo');

$bo = new PwDesignModelBo($model);

if (!$bo->isModel()) $this->showError('operate.fail');

$name = trim($this->getInput('module_name','post'));

if (empty($name)) $this->showError('DESIGN:module.name.empty');

$cache = $this->getInput('cache','post');

$property = $this->getInput('property','post');

isset($property['html']) && $property['html'] = $this->_getDesignService()->filterTemplate($property['html']);

if ($property['limit'] > 200) $this->showError('DESIGN:maxlimit.error');

$cls = sprintf('PwDesign%sDataService', ucwords($model));

Wind::import('SRV:design.srv.model.'.$model.'.'.$cls);

$service = new $cls();

$ds = $this->_getModuleDs();

Wind::import('SRV:design.dm.PwDesignModuleDm');

$dm = new PwDesignModuleDm();

$dm->setPageId($pageid)

->setStruct($struct)

->setFlag($model)

->setName($name)

->setCache($cache)

->setModuleType(PwDesignModule::TYPE_DRAG)

->setIsused(1);

$resource = $ds->addModule($dm);

if ($resource instanceof PwError) $this->showError($resource->getError());

$dm = new PwDesignModuleDm($resource);

if (method_exists($service, 'decorateSaveProperty')) {

$property = $service->decorateSaveProperty($property, $resource);

if ($property instanceof PwError ) $this->showError($property->getError());

}

$dm->setProperty($property);

if ($property['html_tpl']) $dm->setModuleTpl($property['html_tpl']);

$r = $ds->updateModule($dm);

if ($r instanceof PwError) $this->showError($r->getError());

Wind::import('SRV:design.srv.data.PwAutoData');

$srv = new PwAutoData($resource);

$srv->addAutoData();

$this->setOutput($resource, 'data');

$this->showMessage("operate.success");

}