p71924506
/
wblog
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix xss

This commit is contained in:
yafeilee 2018-03-23 14:18:45 +08:00
parent fabb1d642b
commit 7e0aba298d
2 changed files with 90 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
Gemfile.lock
View File

@ -1,6 +1,6 @@
GIT
remote: git://github.com/amatsuda/kaminari.git
revision: 8e3b9db8e8d64f76c3be7b0872ad27ae495a8e3a
revision: 62ec743dcee69e02186e5f1a309b08e59d83f647
specs:
kaminari (1.1.1)
activesupport (>= 4.1.0)
@ -27,39 +27,39 @@ GIT
GEM
remote: https://rubygems.org/
specs:
actioncable (5.1.4)
actionpack (= 5.1.4)
actioncable (5.1.5)
actionpack (= 5.1.5)
nio4r (~> 2.0)
websocket-driver (~> 0.6.1)
actionmailer (5.1.4)
actionpack (= 5.1.4)
actionview (= 5.1.4)
activejob (= 5.1.4)
actionmailer (5.1.5)
actionpack (= 5.1.5)
actionview (= 5.1.5)
activejob (= 5.1.5)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
actionpack (5.1.4)
actionview (= 5.1.4)
activesupport (= 5.1.4)
actionpack (5.1.5)
actionview (= 5.1.5)
activesupport (= 5.1.5)
rack (~> 2.0)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (5.1.4)
activesupport (= 5.1.4)
actionview (5.1.5)
activesupport (= 5.1.5)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.3)
activejob (5.1.4)
activesupport (= 5.1.4)
activejob (5.1.5)
activesupport (= 5.1.5)
globalid (>= 0.3.6)
activemodel (5.1.4)
activesupport (= 5.1.4)
activerecord (5.1.4)
activemodel (= 5.1.4)
activesupport (= 5.1.4)
activemodel (5.1.5)
activesupport (= 5.1.5)
activerecord (5.1.5)
activemodel (= 5.1.5)
activesupport (= 5.1.5)
arel (~> 8.0)
activesupport (5.1.4)
activesupport (5.1.5)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (~> 0.7)
minitest (~> 5.1)
@ -71,14 +71,14 @@ GEM
babel-transpiler (0.7.0)
babel-source (>= 4.0, < 6)
execjs (~> 2.0)
browser (2.5.2)
browser (2.5.3)
browser_warrior (0.7.0)
browser
rails (~> 5.0)
sass-rails (~> 5.0)
builder (3.2.3)
byebug (9.1.0)
capybara (2.17.0)
byebug (10.0.1)
capybara (2.18.0)
addressable
mini_mime (>= 0.1.3)
nokogiri (>= 1.3.3)
@ -107,17 +107,17 @@ GEM
docile (1.1.5)
domain_name (0.5.20170404)
unf (>= 0.0.5, < 1.0.0)
erubi (1.7.0)
erubi (1.7.1)
execjs (2.7.0)
factory_girl (4.9.0)
activesupport (>= 3.0.0)
factory_girl_rails (4.9.0)
factory_girl (~> 4.9.0)
railties (>= 3.0.0)
ffi (1.9.18)
ffi (1.9.23)
figaro (1.1.1)
thor (~> 0.14)
font-awesome-sass (4.7.0)
font-awesome-sass (5.0.6.2)
sass (>= 3.2)
formatador (0.2.5)
foundation-icons-sass-rails (3.0.0)
@ -154,7 +154,7 @@ GEM
nokogiri (~> 1.5)
http-cookie (1.0.3)
domain_name (~> 0.5)
i18n (0.9.1)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jbuilder (2.7.0)
activesupport (>= 4.2.0)
@ -170,7 +170,7 @@ GEM
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
loofah (2.1.1)
loofah (2.2.2)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
lumberjack (1.0.12)
@ -195,13 +195,13 @@ GEM
mini_magick (4.8.0)
mini_mime (1.0.0)
mini_portile2 (2.3.0)
minitest (5.11.1)
minitest (5.11.3)
multi_json (1.13.1)
nenv (0.3.0)
netrc (0.11.0)
newrelic_rpm (4.7.1.340)
nio4r (2.2.0)
nokogiri (1.8.1)
newrelic_rpm (4.8.0.341)
nio4r (2.3.0)
nokogiri (1.8.2)
mini_portile2 (~> 2.3.0)
notiffany (0.1.1)
nenv (~> 0.1)
@ -211,25 +211,25 @@ GEM
pry (0.11.3)
coderay (~> 1.1.0)
method_source (~> 0.9.0)
public_suffix (3.0.1)
puma (3.11.2)
rack (2.0.3)
public_suffix (3.0.2)
puma (3.11.3)
rack (2.0.4)
rack-cors (1.0.2)
rack-protection (2.0.0)
rack-protection (2.0.1)
rack
rack-test (0.8.2)
rack-test (0.8.3)
rack (>= 1.0, < 3)
rails (5.1.4)
actioncable (= 5.1.4)
actionmailer (= 5.1.4)
actionpack (= 5.1.4)
actionview (= 5.1.4)
activejob (= 5.1.4)
activemodel (= 5.1.4)
activerecord (= 5.1.4)
activesupport (= 5.1.4)
rails (5.1.5)
actioncable (= 5.1.5)
actionmailer (= 5.1.5)
actionpack (= 5.1.5)
actionview (= 5.1.5)
activejob (= 5.1.5)
activemodel (= 5.1.5)
activerecord (= 5.1.5)
activesupport (= 5.1.5)
bundler (>= 1.3.0)
railties (= 5.1.4)
railties (= 5.1.5)
sprockets-rails (>= 2.0.0)
rails-controller-testing (1.0.2)
actionpack (~> 5.x, >= 5.0.1)
@ -238,19 +238,19 @@ GEM
rails-dom-testing (2.0.3)
activesupport (>= 4.2.0)
nokogiri (>= 1.6)
rails-html-sanitizer (1.0.3)
loofah (~> 2.0)
rails-html-sanitizer (1.0.4)
loofah (~> 2.2, >= 2.2.2)
rails-i18n (5.0.4)
i18n (~> 0.7)
railties (~> 5.0)
railties (5.1.4)
actionpack (= 5.1.4)
activesupport (= 5.1.4)
railties (5.1.5)
actionpack (= 5.1.5)
activesupport (= 5.1.5)
method_source
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (12.3.0)
rb-fsevent (0.10.2)
rake (12.3.1)
rb-fsevent (0.10.3)
rb-inotify (0.9.10)
ffi (>= 0.5.0, < 2)
redcarpet (3.4.0)
@ -261,7 +261,7 @@ GEM
http-cookie (>= 1.0.2, < 2.0)
mime-types (>= 1.16, < 4.0)
netrc (~> 0.8)
rouge (3.1.0)
rouge (3.1.1)
rspec (3.7.0)
rspec-core (~> 3.7.0)
rspec-expectations (~> 3.7.0)
@ -285,7 +285,7 @@ GEM
rspec-sidekiq (3.0.3)
rspec-core (~> 3.0, >= 3.0.0)
sidekiq (>= 2.4.0)
rspec-support (3.7.0)
rspec-support (3.7.1)
ruby_dep (1.5.0)
sass (3.4.25)
sass-rails (5.0.7)
@ -295,11 +295,11 @@ GEM
sprockets-rails (>= 2.0, < 4.0)
tilt (>= 1.1, < 3)
shellany (0.0.1)
sidekiq (5.0.5)
sidekiq (5.1.1)
concurrent-ruby (~> 1.0)
connection_pool (~> 2.2, >= 2.2.0)
rack-protection (>= 1.5.0)
redis (>= 3.3.4, < 5)
redis (>= 3.3.5, < 5)
simplecov (0.13.0)
docile (~> 1.1.0)
json (>= 1.8, < 3)
@ -335,13 +335,13 @@ GEM
turbolinks (5.1.0)
turbolinks-source (~> 5.1)
turbolinks-source (5.1.0)
tzinfo (1.2.4)
tzinfo (1.2.5)
thread_safe (~> 0.1)
uglifier (4.1.3)
uglifier (4.1.8)
execjs (>= 0.3.0, < 3)
unf (0.1.4)
unf_ext
unf_ext (0.0.7.4)
unf_ext (0.0.7.5)
websocket-driver (0.6.5)
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.3)
@ -407,4 +407,4 @@ RUBY VERSION
ruby 2.3.1p112
BUNDLED WITH
1.15.4
1.16.1

56
vendor/assets/javascripts/jquery.html5-fileupload.js vendored
View File

@ -1,9 +1,9 @@
/*
* jQuery HTML5 File Upload
*
*
* Author: timdream at gmail.com
* Web: http://timc.idv.tw/html5-file-upload/
*
*
* Ajax File Upload that use real xhr,
* built with getAsBinary, sendAsBinary, FormData, FileReader, ArrayBuffer, BlobBuilder and etc.
* works in Firefox 3, Chrome 5, Safari 5 and higher
@ -45,17 +45,17 @@
* File size and type limit will be enforced.
* allowDataInBase64:
* Alternatively, you may wish to resize the image anyway and send the data
* in base64. The data will be 133% larger and you will need to process it further with
* in base64. The data will be 133% larger and you will need to process it further with
* server-side script.
* This setting might work with browsers which could read file but cannot send it in original
* binary (no known browser are designed this way though)
* forceResize:
* Set to true will cause the image being re-sampled even if the resized image
* Set to true will cause the image being re-sampled even if the resized image
* has the same demension as the original one.
* imageType:
* Acceptable values are: 'jpeg', 'png', or 'auto'.
*
* TBD:
* TBD:
* ability to change settings after binding (you can unbind and bind again as a workaround)
* multipole file handling
* form intergation
@ -64,7 +64,7 @@
(function($) {
// Don't do logging if window.log function does not exist.
var log = window.log || $.noop;
var log = window.console.log || $.noop;
// jQuery.ajax config
var config = {
@ -72,9 +72,9 @@
window.alert(textDescription);
}
};
// Feature detection
// Read as binary string: FileReader API || Gecko-specific function (Fx3)
var canReadAsBinaryString = (window.FileReader || window.File.prototype.getAsBinary);
// Read file using FormData interface
@ -85,7 +85,7 @@
var canResizeImageToBase64 = !!(document.createElement('canvas').toDataURL);
var canResizeImageToBinaryString = canResizeImageToBase64 && window.atob;
var canResizeImageToFile = !!(document.createElement('canvas').mozGetAsFile);
// Send file in multipart/form-data with binary xhr (Gecko-specific function)
// || xhr.send(blob) that sends blob made with ArrayBuffer.
var canSendBinaryString = (
@ -107,13 +107,13 @@
|| (canResizeImageToFile && canSendFormData)
)
);
var isSupportedInBase64 = canReadAsBase64;
var isSupportedInBase64 = canReadAsBase64;
var isImageSupportedInBase64 = canReadAsBase64 && canResizeImageToBase64;
var dataURLtoBase64 = function (dataurl) {
return dataurl.substring(dataurl.indexOf(',')+1, dataurl.length);
}
// Step 1: check file info and attempt to read the file
// paramaters: Ajax settings, File object
var handleFile = function (settings, file) {
@ -130,7 +130,7 @@
log('WARN: Fall back to upload original un-resized image.');
settings.resizeImage = false;
}
if (settings.resizeImage) {
settings.imageMaxWidth = settings.imageMaxWidth || Infinity;
settings.imageMaxHeight = settings.imageMaxHeight || Infinity;
@ -145,7 +145,7 @@
return;
}
}
if (settings.fileMaxSize && file.size > settings.fileMaxSize) {
log('ERROR: File exceeds size limit.');
settings.fileError.call(this, info, 'FILE_EXCEEDS_SIZE_LIMIT', 'File exceeds size limit.');
@ -288,7 +288,7 @@
img.width,
img.height,
0,
0,
0,
d.w,
d.h
);
@ -296,12 +296,12 @@
if (info.type === 'image/jpeg') settings.imageType = 'jpeg';
else settings.imageType = 'png';
}
var ninfo = {
type: 'image/' + settings.imageType,
name: info.name.substr(0, info.name.indexOf('.')) + '.resized.' + settings.imageType
};
if (canResizeImageToFile && canSendFormData) {
// Gecko 2 (Fx4) non-standard function
var nfile = canvas.mozGetAsFile(
@ -360,7 +360,7 @@
//settings.data = formdata;
} else if (canSendBinaryString && type === 'bin') {
log('INFO: Concat our own multipart/form-data data string.');
// A placeholder MIME type
if (!info.type) info.type = 'application/octet-stream';
@ -368,10 +368,10 @@
log('INFO: Filename contains non-ASCII code, do UTF8-binary string conversion.');
info.name_bin = unescape(encodeURIComponent(info.name));
}
//filtered out non-ASCII chars in filenames
// info.name = info.name.replace(/[^\x20-\x7E]/g, '_');
// multipart/form-data boundary
var bd = 'xhrupload-' + parseInt(Math.random()*(2 << 16));
settings.contentType = 'multipart/form-data; boundary=' + bd;
@ -381,7 +381,7 @@
+ 'Content-Type: ' + info.type + '\n\n'
+ data + '\n\n'
+ '--' + bd + '--';
if (window.XMLHttpRequest.prototype.sendAsBinary) {
// Use xhr.sendAsBinary that takes binary string
log('INFO: Pass binary string to xhr.');
@ -400,7 +400,7 @@
var bb = new BlobBuilder();
bb.append(buf);
var blob = bb.getBlob();
settings.processData = false;
settings.__beforeSend = settings.beforeSend;
settings.beforeSend = function (xhr, s) {
@ -408,10 +408,10 @@
if (s.__beforeSend) return s.__beforeSend.call(this, xhr, s);
};
}
} else if (settings.allowDataInBase64 && type === 'base64') {
log('INFO: Concat our own multipart/form-data data string; send the file in base64 because binary xhr is not supported.');
// A placeholder MIME type
if (!info.type) info.type = 'application/octet-stream';
@ -446,7 +446,7 @@
}
$.ajax(settings);
};
$.fn.fileUpload = function(settings) {
this.each(function(i, el) {
if ($(el).is('input[type=file]')) {
@ -461,7 +461,7 @@
log('WARN: Multiple file upload not implemented yet, only first file will be uploaded.');
}
handleFile($.extend({}, config, settings), this.files[0]);
if (this.form.length === 1) {
this.form.reset();
} else {
@ -471,7 +471,7 @@
}
);
}
if ($(el).is('form')) {
log('ERROR: <form> not implemented yet.');
} else {
@ -504,10 +504,10 @@
return this;
};
$.fileUploadSupported = isSupported;
$.imageUploadSupported = isImageSupported;
$.fileUploadAsBase64Supported = isSupportedInBase64;
$.imageUploadAsBase64Supported = isImageSupportedInBase64;
})(jQuery);