github
/
kratos
mirror of https://github.com/vtrois/kratos
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: potential XSS vulnerability in jQuery

pull/620/head
Seaton Jiang 2023-04-04 20:06:00 +08:00
parent bd12b16648
commit a307af4add
No known key found for this signature in database
GPG Key ID: B79682F6FE8D30E3
4 changed files with 90 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
assets/js/jquery.min.js vendored
View File

File diff suppressed because one or more lines are too long

6
assets/js/kratos.js
View File

@ -2,7 +2,7 @@
* Kratos * Kratos
* Seaton Jiang <hi@seatonjiang.com> * Seaton Jiang <hi@seatonjiang.com>
*/ */
(function () { (function ($) {
"use strict"; "use strict";
var KRATOS_VERSION = "4.2.0"; var KRATOS_VERSION = "4.2.0";
@ -136,7 +136,7 @@
}; };
var accordionConfig = function () { var accordionConfig = function () {
$(document).on("click", ".acheader", function (event) { $(".acheader").on("click", function (event) {
var $this = $(this); var $this = $(this);
$this.closest(".accordion").find(".contents").slideToggle(300); $this.closest(".accordion").find(".contents").slideToggle(300);
if ($this.closest(".accordion").hasClass("active")) { if ($this.closest(".accordion").hasClass("active")) {
@ -178,7 +178,7 @@
consoleConfig(); consoleConfig();
lightGalleryConfig(); lightGalleryConfig();
}); });
})(); })(jQuery);
function grin(tag) { function grin(tag) {
var myField; var myField;

164
inc/theme-article.php
View File

@ -4,7 +4,7 @@
* 文章相关函数 * 文章相关函数
* @author Seaton Jiang <hi@seatonjiang.com> * @author Seaton Jiang <hi@seatonjiang.com>
* @license GPL-3.0 License * @license GPL-3.0 License
* @version 2022.11.27 * @version 2023.04.04
*/ */
// 文章链接添加 target 和 rel // 文章链接添加 target 和 rel
@ -211,7 +211,7 @@ function pagelist($range = 5)
// 文章评论 // 文章评论
function comment_scripts() function comment_scripts()
{ {
wp_enqueue_script('comment', ASSET_PATH . '/assets/js/comments.min.js', array(), THEME_VERSION); wp_enqueue_script('comment', ASSET_PATH . '/assets/js/comments.min.js', array('jquery'), THEME_VERSION);
wp_localize_script('comment', 'ajaxcomment', array( wp_localize_script('comment', 'ajaxcomment', array(
'ajax_url' => admin_url('admin-ajax.php'), 'ajax_url' => admin_url('admin-ajax.php'),
'order' => get_option('comment_order'), 'order' => get_option('comment_order'),
@ -229,54 +229,55 @@ function comment_err($a)
exit; exit;
} }
if (!function_exists('comment_callback')): if (!function_exists('comment_callback')) :
function comment_callback() function comment_callback()
{ {
$comment = wp_handle_comment_submission(wp_unslash($_POST)); $comment = wp_handle_comment_submission(wp_unslash($_POST));
$commenter = wp_get_current_commenter(); $commenter = wp_get_current_commenter();
if (is_wp_error($comment)) { if (is_wp_error($comment)) {
$data = $comment->get_error_data(); $data = $comment->get_error_data();
if (!empty($data)) { if (!empty($data)) {
comment_err($comment->get_error_message()); comment_err($comment->get_error_message());
} else { } else {
exit; exit;
}
}
$user = wp_get_current_user();
do_action('set_comment_cookies', $comment, $user);
$GLOBALS['comment'] = $comment;
if ($commenter['comment_author_email']) {
$moderation_note = __('Your comment is awaiting moderation.');
} else {
$moderation_note = __('Your comment is awaiting moderation. This is a preview; your comment will be visible after it has been approved.');
} }
}
$user = wp_get_current_user();
do_action('set_comment_cookies', $comment, $user);
$GLOBALS['comment'] = $comment;
if ($commenter['comment_author_email']) {
$moderation_note = __('Your comment is awaiting moderation.');
} else {
$moderation_note = __('Your comment is awaiting moderation. This is a preview; your comment will be visible after it has been approved.');
}
?> ?>
<li class="comment cleanfix" id="comment-<?php echo esc_attr(comment_ID()); ?>"> <li class="comment cleanfix" id="comment-<?php echo esc_attr(comment_ID()); ?>">
<div class="avatar float-left d-inline-block mr-2"> <div class="avatar float-left d-inline-block mr-2">
<?php if (function_exists('get_avatar') && get_option('show_avatars')) { <?php if (function_exists('get_avatar') && get_option('show_avatars')) {
echo get_avatar($comment, 50); echo get_avatar($comment, 50);
} ?> } ?>
</div>
<div class="info clearfix">
<cite class="author_name"><?php echo get_comment_author_link(); ?></cite>
<?php if ('0' == $comment->comment_approved) : ?>
<em class="comment-awaiting-moderation"><?php echo $moderation_note; ?></em>
<?php endif; ?>
<div class="content pb-2">
<?php comment_text(); ?>
</div> </div>
<div class="meta clearfix"> <div class="info clearfix">
<div class="date d-inline-block float-left"><?php echo get_comment_date(); ?><?php if (current_user_can('edit_posts')) { <cite class="author_name"><?php echo get_comment_author_link(); ?></cite>
echo '<span class="ml-2">'; <?php if ('0' == $comment->comment_approved) : ?>
edit_comment_link(__('编辑', 'kratos')); <em class="comment-awaiting-moderation"><?php echo $moderation_note; ?></em>
echo '</span>'; <?php endif; ?>
}; ?> <div class="content pb-2">
<?php comment_text(); ?>
</div>
<div class="meta clearfix">
<div class="date d-inline-block float-left"><?php echo get_comment_date(); ?>
<?php if (current_user_can('edit_posts')) {
echo '<span class="ml-2">';
edit_comment_link(__('编辑', 'kratos'));
echo '</span>';
}; ?>
</div>
</div> </div>
</div> </div>
</div> </li>
</li> <?php die();
<?php die(); }
}
endif; endif;
add_action('wp_ajax_nopriv_ajax_comment', 'comment_callback'); add_action('wp_ajax_nopriv_ajax_comment', 'comment_callback');
@ -296,47 +297,48 @@ function comment_display($comment_to_display)
return $comment_to_display; return $comment_to_display;
} }
add_filter('comment_text', 'comment_display', '', 1); add_filter('comment_text', 'comment_display', '', 1);
if(!function_exists('comment_callbacks')): if (!function_exists('comment_callbacks')) :
function comment_callbacks($comment, $args, $depth = 2) function comment_callbacks($comment, $args, $depth = 2)
{ {
$commenter = wp_get_current_commenter(); $commenter = wp_get_current_commenter();
if ($commenter['comment_author_email']) { if ($commenter['comment_author_email']) {
$moderation_note = __('Your comment is awaiting moderation.'); $moderation_note = __('Your comment is awaiting moderation.');
} else { } else {
$moderation_note = __('Your comment is awaiting moderation. This is a preview; your comment will be visible after it has been approved.'); $moderation_note = __('Your comment is awaiting moderation. This is a preview; your comment will be visible after it has been approved.');
} }
$GLOBALS['comment'] = $comment; ?> $GLOBALS['comment'] = $comment; ?>
<li class="comment cleanfix" id="comment-<?php echo esc_attr(comment_ID()); ?>"> <li class="comment cleanfix" id="comment-<?php echo esc_attr(comment_ID()); ?>">
<div class="avatar float-left d-inline-block mr-2"> <div class="avatar float-left d-inline-block mr-2">
<?php if (function_exists('get_avatar') && get_option('show_avatars')) { <?php if (function_exists('get_avatar') && get_option('show_avatars')) {
echo get_avatar($comment, 50); echo get_avatar($comment, 50);
} ?> } ?>
</div>
<div class="info clearfix">
<cite class="author_name"><?php echo get_comment_author_link(); ?></cite>
<?php if ('0' == $comment->comment_approved) : ?>
<em class="comment-awaiting-moderation"><?php echo $moderation_note; ?></em>
<?php endif; ?>
<div class="content pb-2">
<?php comment_text(); ?>
</div> </div>
<div class="meta clearfix"> <div class="info clearfix">
<div class="date d-inline-block float-left"><?php echo get_comment_date(); ?><?php if (current_user_can('edit_posts')) { <cite class="author_name"><?php echo get_comment_author_link(); ?></cite>
echo '<span class="ml-2">'; <?php if ('0' == $comment->comment_approved) : ?>
edit_comment_link(__('编辑', 'kratos')); <em class="comment-awaiting-moderation"><?php echo $moderation_note; ?></em>
echo '</span>'; <?php endif; ?>
}; ?> <div class="content pb-2">
<?php comment_text(); ?>
</div> </div>
<div class="tool reply ml-2 d-inline-block float-right"> <div class="meta clearfix">
<?php <div class="date d-inline-block float-left"><?php echo get_comment_date(); ?>
$defaults = array('add_below' => 'comment', 'respond_id' => 'respond', 'reply_text' => '<i class="kicon i-reply"></i><span class="ml-1">' . __('回复', 'kratos') . '</span>'); <?php if (current_user_can('edit_posts')) {
comment_reply_link(array_merge($defaults, array('depth' => $depth, 'max_depth' => $args['max_depth']))); echo '<span class="ml-2">';
?> edit_comment_link(__('编辑', 'kratos'));
echo '</span>';
}; ?>
</div>
<div class="tool reply ml-2 d-inline-block float-right">
<?php
$defaults = array('add_below' => 'comment', 'respond_id' => 'respond', 'reply_text' => '<i class="kicon i-reply"></i><span class="ml-1">' . __('回复', 'kratos') . '</span>');
comment_reply_link(array_merge($defaults, array('depth' => $depth, 'max_depth' => $args['max_depth'])));
?>
</div>
</div> </div>
</div> </div>
</div>
<?php <?php
} }
endif; endif;
// 文章评论表情 // 文章评论表情

10
inc/theme-core.php
View File

@ -4,7 +4,7 @@
* 核心函数 * 核心函数
* @author Seaton Jiang <hi@seatonjiang.com> * @author Seaton Jiang <hi@seatonjiang.com>
* @license GPL-3.0 License * @license GPL-3.0 License
* @version 2023.03.30 * @version 2023.04.04
*/ */
// CDN 资源地址 // CDN 资源地址
@ -94,12 +94,10 @@ function theme_autoload()
}'); }');
} }
// js // js
wp_deregister_script('jquery'); wp_enqueue_script('bootstrap-bundle', ASSET_PATH . '/assets/js/bootstrap.bundle.min.js', array('jquery'), '4.5.0', true);
wp_enqueue_script('jquery', ASSET_PATH . '/assets/js/jquery.min.js', array(), '3.4.1', false); wp_enqueue_script('layer', ASSET_PATH . '/assets/js/layer.min.js', array('jquery'), '3.1.1', true);
wp_enqueue_script('bootstrap-bundle', ASSET_PATH . '/assets/js/bootstrap.bundle.min.js', array(), '4.5.0', true);
wp_enqueue_script('layer', ASSET_PATH . '/assets/js/layer.min.js', array(), '3.1.1', true);
wp_enqueue_script('dplayer', ASSET_PATH . '/assets/js/DPlayer.min.js', array(), THEME_VERSION, true); wp_enqueue_script('dplayer', ASSET_PATH . '/assets/js/DPlayer.min.js', array(), THEME_VERSION, true);
wp_enqueue_script('kratos', ASSET_PATH . '/assets/js/kratos.js', array(), THEME_VERSION, true); wp_enqueue_script('kratos', ASSET_PATH . '/assets/js/kratos.js', array('jquery'), THEME_VERSION, true);
$data = array( $data = array(
'site' => home_url(), 'site' => home_url(),