4.46 release

app/function/common.function.php

@@ -118,6 +118,9 @@ function mtime(){
 }
 /**
  * 过滤HTML
+ * 
+ * eg: </script><script>alert(1234)</script>
+ * 允许url中字符;
  */
 function clear_html($html, $br = true){
 	$html = $html === null ? "" : $html;
@@ -125,6 +128,12 @@ function clear_html($html, $br = true){
 	$replaceTo = array('&lt;','&gt;','&quot;','&#39;');
 	return str_replace($replace,$replaceTo,$html);
 }
+function clear_quote($html){
+	$html = $html === null ? "" : $html;
+	$replace = array('"',"'",'</script');
+	$replaceTo = array('\\"',"\\'","<\/script");	
+	return str_ireplace($replace,$replaceTo,$html);
+}
 
 /**
  * 过滤js、css等 

plugins/webodf/php/template.php

@@ -24,7 +24,7 @@
 	<div id="odf"></div>
 	<script src="<?php echo $this->pluginHost;?>static/webodf.js" type="text/javascript" charset="utf-8"></script>
 	<script type="text/javascript">
-    	var fileURL = "<?php echo clear_html($fileUrl);?>";
+    	var fileURL = "<?php echo clear_quote($fileUrl);?>";
 		var odfelement = document.getElementById("odf"),
 		odfcanvas = new odf.OdfCanvas(odfelement);
 		odfcanvas.load(fileURL);

plugins/yzOffice/php/template.php

@@ -82,7 +82,7 @@
 			"yzOffice.Main.convert":"<?php echo LNG('yzOffice.Main.convert');?>",
 			"yzOffice.Main.transferAgain":"<?php echo LNG('yzOffice.Main.transferAgain');?>"
 		};
-		var path     = '<?php echo clear_html($this->in["path"]);?>';
+		var path     = '<?php echo clear_quote($this->in["path"]);?>';
 		var apiBase  = "<?php echo $this->pluginApi;?>";//不能含有index.php
 		var selfHost = '<?php echo $this->pluginHost;?>';
 		var cacheFile= '<?php echo $config["cacheFile"];?>';

static/style/skin/base/app_editor.css

@@ -1,5 +1,5 @@
-/* power by kodexplorer ver 4.46(2021-07-12) [build 1626109844.1487] */
+/* power by kodexplorer ver 4.46(2021-07-13) [build 1626179567.8539] */
 @import url('./fileIcon.css');
 @import url('./common.css');
 .frame-main{position:absolute;top:40px;width:100%;bottom:0px;}.frame-main .tools-left{background:#f8f8f8 url("../../../images/common/bg.gif") 0 0px;position:fixed;line-height:30px;padding-left:20px;height:28px;border-bottom:1px solid #ddd;left:0;width:100%;}.frame-main .tools-left a{font-size:1.25em;font-weight:800;text-decoration:none;color:#999;text-shadow:0 0 3px;display:inline-block;padding:2px 6px;margin-top:0;height:20px;line-height:20px;}.frame-main .tools-left a:hover{background:url("../../../images/common/buttons_40.png") 0 0px repeat-x;-webkit-box-shadow:0 2px 8px rgba(0,0,0,0.8);-moz-box-shadow:0 2px 8px rgba(0,0,0,0.8);box-shadow:0 2px 8px rgba(0,0,0,0.8);-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px;}.frame-main .frame-left{position:absolute;left:0;top:30px;bottom:0;width:200px;background:#fff;background-attachment:fixed;overflow:auto;}.frame-main .frame-left .ztree{margin-top:0;}.frame-main .frame-left .ztree li.level0{margin-bottom:5px;}.frame-main .frame-resize{width:10px;cursor:col-resize;z-index:100;position:absolute;left:195px;top:0;bottom:0;overflow:hidden;background:url("../../../images/common/resize.png") 0px 50% no-repeat;}.frame-main .frame-resize.active{background:#000;opacity:0.2;filter:alpha(opacity=20);}.frame-main .frame-right{left:200px;right:0;position:absolute;top:0;bottom:0;overflow:auto;}.frame-main .frame-right .frame-right-main .resize-mask{z-index:999;position:absolute;left:0;top:0;bottom:0;right:0;display:none;}.frame-main .frame-right .frame-right-main .frame{height:100%;border-left:1px solid #ddd;overflow:hidden;}
-/* ver 4.46(2021-07-12) [build 1626109844.1487] */
+/* ver 4.46(2021-07-13) [build 1626179567.8539] */