前台模版编辑时,如选择自定HTML模块时,输入php,js语句时将被执行,如下图
这本来是方便二次开发使用,但管理员在授权不慎时容易给他人可趁之机写入非法php语句,就解决方法如下:
1、如你需要此功能,那么除管理员外,不要给别人赋予模版编辑权限,设置路径是:“用户组管理--管理组--管理权限--门户权限”,设成“无作权限”即可
2、如果你不需要此功能,请按如下方法修改代码:
找到src/application/design/controller/PropertyController.php
找到
public function doaddAction() {
在这个方法里找到
if ($property['limit'] > 200) $this->showError('DESIGN:maxlimit.error');
在这句上头添加一句:
isset($property['html']) && $property['html'] = $this->_getDesignService()->filterTemplate($property['html']);
完整方法如下:
public function doaddAction() {
$struct = $this->getInput('struct','post');
$pageid = $this->getInput('pageid','post');
$model = $this->getInput('model','post');
if (!$model || $pageid <1) $this->showError('operate.fail');
Wekit::load('design.PwDesignPermissions');
$permissions = $this->_getPermissionsService()->getPermissionsForPage($this->loginUser->uid, $pageid);
if ($permissions < PwDesignPermissions::IS_DESIGN ) $this->showError("DESIGN:permissions.fail");
Wind::import('SRV:design.bo.PwDesignModelBo');
$bo = new PwDesignModelBo($model);
if (!$bo->isModel()) $this->showError('operate.fail');
$name = trim($this->getInput('module_name','post'));
if (empty($name)) $this->showError('DESIGN:module.name.empty');
$cache = $this->getInput('cache','post');
$property = $this->getInput('property','post');
isset($property['html']) && $property['html'] = $this->_getDesignService()->filterTemplate($property['html']);
if ($property['limit'] > 200) $this->showError('DESIGN:maxlimit.error');
$cls = sprintf('PwDesign%sDataService', ucwords($model));
Wind::import('SRV:design.srv.model.'.$model.'.'.$cls);
$service = new $cls();
$ds = $this->_getModuleDs();
Wind::import('SRV:design.dm.PwDesignModuleDm');
$dm = new PwDesignModuleDm();
$dm->setPageId($pageid)
->setStruct($struct)
->setFlag($model)
->setName($name)
->setCache($cache)
->setModuleType(PwDesignModule::TYPE_DRAG)
->setIsused(1);
$resource = $ds->addModule($dm);
if ($resource instanceof PwError) $this->showError($resource->getError());
$dm = new PwDesignModuleDm($resource);
if (method_exists($service, 'decorateSaveProperty')) {
$property = $service->decorateSaveProperty($property, $resource);
if ($property instanceof PwError ) $this->showError($property->getError());
}
$dm->setProperty($property);
if ($property['html_tpl']) $dm->setModuleTpl($property['html_tpl']);
$r = $ds->updateModule($dm);
if ($r instanceof PwError) $this->showError($r->getError());
Wind::import('SRV:design.srv.data.PwAutoData');
$srv = new PwAutoData($resource);
$srv->addAutoData();
$this->setOutput($resource, 'data');
$this->showMessage("operate.success");
}
评论列表()