diff --git a/Resource/Js/Admin.js b/Resource/Js/Admin.js index 2940177..4be6352 100644 --- a/Resource/Js/Admin.js +++ b/Resource/Js/Admin.js @@ -15,7 +15,10 @@ function getRootPath() { //判断url是否在iframe打开 if (window.frames.length == parent.frames.length) { //alert('不在iframe中' + window.document.location.href); - window.location.replace(getRootPath() + '/Views/Default?url=' + encodeURIComponent(window.document.location.href)); + var currentUrl = window.document.location.href; + if (currentUrl.startsWith(getRootPath())) { + window.location.replace(getRootPath() + '/Views/Default?url=' + encodeURIComponent(currentUrl)); + } //window.location.replace(getRootPath() + '/Views/Default?url=' + window.document.location.href); } diff --git a/Resource/fullcalendar/examples/google-calendar.html b/Resource/fullcalendar/examples/google-calendar.html index b6a686a..5e77f3b 100644 --- a/Resource/fullcalendar/examples/google-calendar.html +++ b/Resource/fullcalendar/examples/google-calendar.html @@ -22,7 +22,7 @@ // THIS KEY WON'T WORK IN PRODUCTION!!! // To make your own Google API key, follow the directions here: // http://fullcalendar.io/docs/google_calendar/ - googleCalendarApiKey: 'AIzaSyDcnW6WejpTOCffshGDDb4neIrXVUA1EAE', + googleCalendarApiKey: process.env.GOOGLE_CALENDAR_API_KEY || '', // US Holidays events: 'en.usa#holiday@group.v.calendar.google.com', diff --git a/Scripts/WebForms/SmartNav.js b/Scripts/WebForms/SmartNav.js index 23b6487..5e87f4e 100644 --- a/Scripts/WebForms/SmartNav.js +++ b/Scripts/WebForms/SmartNav.js @@ -31,7 +31,9 @@ if ((typeof(window.__smartNav) == "undefined") || (window.__smartNav == null)) var fdurlb = fdurl.split("?")[0]; if (document.location.href.indexOf(fdurlb) < 0) { - document.location.href=fdurl; + // Sanitize the URL before redirecting + var sanitizedUrl = new URL(fdurl, window.location.origin).href; + document.location.href = sanitizedUrl; return; } sn._savedOnLoad = window.onload; diff --git a/Views/Default.aspx b/Views/Default.aspx index a624f6f..8e9b49e 100644 --- a/Views/Default.aspx +++ b/Views/Default.aspx @@ -73,7 +73,7 @@ <%----%> - <%= Notice %> + <%= HttpUtility.HtmlEncode(Notice) %>
  • @@ -172,4 +172,4 @@ - + \ No newline at end of file diff --git a/Views/Default.aspx.cs b/Views/Default.aspx.cs index d2d2221..7d438db 100644 --- a/Views/Default.aspx.cs +++ b/Views/Default.aspx.cs @@ -55,8 +55,10 @@ protected void Page_Load(object sender, EventArgs e) } //在线状态 - string _sql2 = "select * from UserState where Invalid=0 and Del=0 and UID=" + UID; - DataTable _dt2 = MsSQLDbHelper.Query(_sql2).Tables[0]; + string _sql2 = "select * from UserState where Invalid=0 and Del=0 and UID=@UID"; + SqlParameter[] _sp2 = { new SqlParameter("@UID", SqlDbType.Int) }; + _sp2[0].Value = UID.toInt(); + DataTable _dt2 = MsSQLDbHelper.Query(_sql2, _sp2).Tables[0]; if (_dt2 != null && _dt2.Rows.Count > 0) { diff --git a/Views/Forms/Forms.aspx.cs b/Views/Forms/Forms.aspx.cs index 0fabfab..77042b5 100644 --- a/Views/Forms/Forms.aspx.cs +++ b/Views/Forms/Forms.aspx.cs @@ -20,7 +20,7 @@ protected void Page_Load(object sender, EventArgs e) string ShortTableName = MicroPublic.GetFriendlyUrlParm(1); string ModuleID = MicroPublic.GetFriendlyUrlParm(2); txtMID.Value = ModuleID; - divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID); + divScript.InnerHtml = HttpUtility.HtmlEncode(MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID)); //检查是否已经登录和页面唯一识别是否一致(ShortTableName) MicroAuth.CheckAuth(ModuleID, ShortTableName); diff --git a/Views/Forms/HR/Js/LeaveForm.js b/Views/Forms/HR/Js/LeaveForm.js index 818c800..39ea3ce 100644 --- a/Views/Forms/HR/Js/LeaveForm.js +++ b/Views/Forms/HR/Js/LeaveForm.js @@ -309,7 +309,7 @@ var parms = { "Val": uid, "TypeID": holidayTypeID, "Date": encodeURI(overtimeDate), "TypeName": holidayTypeName }; $.getJSON('/Views/Forms/HR/GetLeaveTips.ashx', parms, function (data) { - $('#divShowLeave').html(data.Tips); + $('#divShowLeave').html(escapeHtml(data.Tips)); // Escape HTML special characters $('#hidAvailableNumber').val(data.Days); leaveDays = $('#selLeaveDays').val(); @@ -497,4 +497,14 @@ }); + // Function to escape HTML special characters + function escapeHtml(unsafe) { + return unsafe + .replace(/&/g, "&") + .replace(//g, ">") + .replace(/"/g, """) + .replace(/'/g, "'"); + } + }); \ No newline at end of file diff --git a/Views/Forms/HR/OnDutyFormList.aspx.cs b/Views/Forms/HR/OnDutyFormList.aspx.cs index c1c8fa7..208cde8 100644 --- a/Views/Forms/HR/OnDutyFormList.aspx.cs +++ b/Views/Forms/HR/OnDutyFormList.aspx.cs @@ -39,7 +39,7 @@ protected void Page_Load(object sender, EventArgs e) var getFormAttr = MicroForm.GetFormAttr(ShortTableName, FormID); - spanTitle.InnerHtml = getFormAttr.FormName + getFormAttr.Description; //表单名称和描述 + spanTitle.InnerHtml = HttpUtility.HtmlEncode(getFormAttr.FormName + getFormAttr.Description); //表单名称和描述 spanWorkFlow.Visible = MicroAuth.CheckPermit(ModuleID, "3"); //是否显示修改流程 string Note = getFormAttr.Note; if (!string.IsNullOrEmpty(Note)) diff --git a/Views/Forms/HR/OvertimeFormList.aspx.cs b/Views/Forms/HR/OvertimeFormList.aspx.cs index 44cb055..3a3cc95 100644 --- a/Views/Forms/HR/OvertimeFormList.aspx.cs +++ b/Views/Forms/HR/OvertimeFormList.aspx.cs @@ -41,13 +41,13 @@ protected void Page_Load(object sender, EventArgs e) var getFormAttr = MicroForm.GetFormAttr(ShortTableName, FormID); - spanTitle.InnerHtml = getFormAttr.FormName + getFormAttr.Description; //表单名称和描述 + spanTitle.InnerHtml = HttpUtility.HtmlEncode(getFormAttr.FormName + getFormAttr.Description); //表单名称和描述 spanWorkFlow.Visible = MicroAuth.CheckPermit(ModuleID, "3"); //是否显示修改流程 string Note = getFormAttr.Note; if (!string.IsNullOrEmpty(Note)) { divNote.Visible = true; - spanNote.InnerHtml = Note; + spanNote.InnerHtml = HttpUtility.HtmlEncode(Note); } string FormsID = MicroPublic.GetFriendlyUrlParm(4); @@ -152,9 +152,13 @@ protected void Page_Load(object sender, EventArgs e) //判断草稿箱是否有记录,若有记录要先处理掉才能进行新增操作 string UID = MicroUserHelper.MicroUserInfo.GetUserInfo("UID"); - string _sql = "select * from HROvertime where Invalid=0 and Del=0 and StateCode>=-4 and StateCode<=-1 and UID=" + UID.toInt() + " and OvertimeTypeID=(select OvertimeTypeID from HROvertimeType where Invalid=0 and Del=0 and FormID=@FormID)"; - SqlParameter[] _sp = { new SqlParameter("@FormID", SqlDbType.Int) }; + string _sql = "select * from HROvertime where Invalid=0 and Del=0 and StateCode>=-4 and StateCode<=-1 and UID=@UID and OvertimeTypeID=(select OvertimeTypeID from HROvertimeType where Invalid=0 and Del=0 and FormID=@FormID)"; + SqlParameter[] _sp = { + new SqlParameter("@FormID", SqlDbType.Int), + new SqlParameter("@UID", SqlDbType.Int) + }; _sp[0].Value = FormID.toInt(); + _sp[1].Value = UID.toInt(); DataTable _dt = MsSQLDbHelper.Query(_sql, _sp).Tables[0]; diff --git a/Views/Forms/MicroFormList.aspx.cs b/Views/Forms/MicroFormList.aspx.cs index c9a6531..d3a78ee 100644 --- a/Views/Forms/MicroFormList.aspx.cs +++ b/Views/Forms/MicroFormList.aspx.cs @@ -106,7 +106,7 @@ protected void Page_Load(object sender, EventArgs e) if (_dt != null && _dt.Rows.Count > 0) { - string QueryBaseDescription = _dt.Rows[0]["QueryBaseDescription"].toStringTrim(); + string QueryBaseDescription = HttpUtility.HtmlEncode(_dt.Rows[0]["QueryBaseDescription"].toStringTrim()); if (!string.IsNullOrEmpty(QueryBaseDescription)) { iconDescription.Visible = true; diff --git a/Views/Forms/SysFormList.aspx.cs b/Views/Forms/SysFormList.aspx.cs index 0727728..dc6bbca 100644 --- a/Views/Forms/SysFormList.aspx.cs +++ b/Views/Forms/SysFormList.aspx.cs @@ -25,7 +25,7 @@ protected void Page_Load(object sender, EventArgs e) var GetTableAttr = MicroDTHelper.MicroDataTable.GetTableAttr(MicroPublic.GetTableName(ShortTableName)); txtPrimaryKeyName.Value = "data." + GetTableAttr.PrimaryKeyName; - divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID); //例FormAppType + divScript.InnerHtml = HttpUtility.HtmlEncode(MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID)); //例FormAppType MicroAuth.CheckBrowse(ModuleID); diff --git a/Views/Home/Console.aspx.cs b/Views/Home/Console.aspx.cs index e47533f..e04647d 100644 --- a/Views/Home/Console.aspx.cs +++ b/Views/Home/Console.aspx.cs @@ -89,13 +89,13 @@ protected void Page_Load(object sender, EventArgs e) //一阶 关联相关表 "select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID " + //二阶 得到没有审批完成或没有对应完成或没有结案时的 min(FARID) - "where ((FARID in (select min(FARID) from FormApprovalRecords where Invalid = 0 and Del = 0 and StateCode <= 0 and UID = " + UID + " group by FormID,FormsID)) " + + "where ((FARID in (select min(FARID) from FormApprovalRecords where Invalid = 0 and Del = 0 and StateCode <= 0 and UID = @UID group by FormID,FormsID)) " + //三阶 或者得到已经结案了的max(FARID),同时排除二阶出现过的记录 - "or (FARID in (select max(FARID) from FormApprovalRecords where Invalid = 0 and Del = 0 and StateCode > 0 and UID = " + UID + " " + + "or (FARID in (select max(FARID) from FormApprovalRecords where Invalid = 0 and Del = 0 and StateCode > 0 and UID = @UID " + //三阶接续 排除二阶出现过的记录 - "and FormNumber not in (select FormNumber from FormApprovalRecords where FARID in (select min(FARID) from FormApprovalRecords where Invalid = 0 and Del = 0 and StateCode <= 0 and UID = " + UID + " group by FormID,FormsID) ) group by FormID,FormsID) )) " + - "and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 and a.UID = " + UID + " order by FARID desc"; - DataTable _dt3 = MsSQLDbHelper.Query(_sql3).Tables[0]; + "and FormNumber not in (select FormNumber from FormApprovalRecords where FARID in (select min(FARID) from FormApprovalRecords where Invalid = 0 and Del = 0 and StateCode <= 0 and UID = @UID group by FormID,FormsID) ) group by FormID,FormsID) )) " + + "and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 and a.UID = @UID order by FARID desc"; + DataTable _dt3 = MsSQLDbHelper.Query(_sql3, new SqlParameter("@UID", UID)).Tables[0]; MyApply = _dt3.Rows.Count.ToString(); if (_dt3.Rows.Count > 0) aMyApply.Attributes.Add("lay-href", "/Views/Forms/MicroPublicFormList/View/MyApply/" + ModuleID); @@ -105,13 +105,13 @@ protected void Page_Load(object sender, EventArgs e) //一阶 关联相关表 " select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID " + //二阶 得到在审批阶段已经审批或未审批的max(FARID)作为单条记录 - " where FARID in (select min(FARID) from FormApprovalRecords where WorkFlowID in (select WFID from WorkFlow where FlowCode = 'Approval' and Invalid=0 and Del=0 ) and Invalid = 0 and Del = 0 and StateCode = 0 and UID = " + UID + " group by FormID,FormsID) " + + " where FARID in (select min(FARID) from FormApprovalRecords where WorkFlowID in (select WFID from WorkFlow where FlowCode = 'Approval' and Invalid=0 and Del=0 ) and Invalid = 0 and Del = 0 and StateCode = 0 and UID = @UID group by FormID,FormsID) " + //三阶 去除在任意审批阶段被驳回的记录 (注:申请、受理、结案不算审批阶段) - " and FormNumber not in(select FormNumber from FormApprovalRecords where FARID in (select max(FARID) from FormApprovalRecords where Invalid = 0 and Del = 0 and StateCode < 0 and UID = " + UID + " group by FormID,FormsID) and Invalid=0 and Del=0 and UID = " + UID + ") " + + " and FormNumber not in(select FormNumber from FormApprovalRecords where FARID in (select max(FARID) from FormApprovalRecords where Invalid = 0 and Del = 0 and StateCode < 0 and UID = @UID group by FormID,FormsID) and Invalid=0 and Del=0 and UID = @UID) " + //四阶 去除在审批阶段最后一位已经审批通过的记录 - " and FARID not in (select FARID from FormApprovalRecords where WorkFlowID in(select max(WFID) from WorkFlow where FlowCode = 'Approval' and Invalid=0 and Del=0 group by FormID) and Invalid=0 and Del=0 and StateCode=1 and UID = " + UID + ") " + - " and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 and a.UID = " + UID + " order by FARID desc"; - DataTable _dt4 = MsSQLDbHelper.Query(_sql4).Tables[0]; + " and FARID not in (select FARID from FormApprovalRecords where WorkFlowID in(select max(WFID) from WorkFlow where FlowCode = 'Approval' and Invalid=0 and Del=0 group by FormID) and Invalid=0 and Del=0 and StateCode=1 and UID = @UID) " + + " and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 and a.UID = @UID order by FARID desc"; + DataTable _dt4 = MsSQLDbHelper.Query(_sql4, new SqlParameter("@UID", UID)).Tables[0]; MyApplyWaitApproval = _dt4.Rows.Count.ToString(); if (_dt4.Rows.Count > 0) aMyApplyWaitApproval.Attributes.Add("lay-href", "/Views/Forms/MicroPublicFormList/View/MyApplyWaitApproval/" + ModuleID); @@ -129,11 +129,11 @@ protected void Page_Load(object sender, EventArgs e) //四阶 去除在任意审批阶段被驳回的记录 (注:申请、受理、结案不算审批阶段) " and FormNumber not in(select FormNumber from FormApprovalRecords where FARID in (select max(FARID) from FormApprovalRecords where StateCode < 0 and Invalid = 0 and Del = 0 group by FormID,FormsID)) " + //五阶 Invalid=0 and Del=0并且需是我申请的 - " and a.Invalid = 0 and a.Del = 0 and a.UID=" + UID + " ) " + + " and a.Invalid = 0 and a.Del = 0 and a.UID=@UID ) " + //六阶 或者(或运算)得到不需要审批的表单并且在受理阶段的记录、并且是我申请的 (注意:FormID=0) " or (FARID in (select FARID from FormApprovalRecords where Invalid=0 and Del=0 and WorkFlowID in (select WFID from WorkFlow where Invalid=0 and Del=0 and FormID=0 and FlowCode='Accept') and StateCode = 0 " + - " and UID=" + UID + " )) order by FARID desc"; - DataTable _dt5 = MsSQLDbHelper.Query(_sql5).Tables[0]; + " and UID=@UID )) order by FARID desc"; + DataTable _dt5 = MsSQLDbHelper.Query(_sql5, new SqlParameter("@UID", UID)).Tables[0]; MyApplyWaitAccept = _dt5.Rows.Count.ToString(); if (_dt5.Rows.Count > 0) aMyApplyWaitAccept.Attributes.Add("lay-href", "/Views/Forms/MicroPublicFormList/View/MyApplyWaitAccept/" + ModuleID); @@ -143,34 +143,34 @@ protected void Page_Load(object sender, EventArgs e) //一阶 关联相关表 "select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID " + //二阶 得到在受理阶段已受理的记录 - "where FARID in (select FARID from FormApprovalRecords where WorkFlowID in (select WFID from WorkFlow where Invalid=0 and Del=0 and FlowCode = 'Accept') and Invalid=0 and Del=0 and StateCode > 0 and UID = " + UID + " ) " + + "where FARID in (select FARID from FormApprovalRecords where WorkFlowID in (select WFID from WorkFlow where Invalid=0 and Del=0 and FlowCode = 'Accept') and Invalid=0 and Del=0 and StateCode > 0 and UID = @UID ) " + //三阶 去除在任意审批阶段被驳回的记录 "and FormNumber not in(select FormNumber from FormApprovalRecords where FARID in (select max(FARID) from FormApprovalRecords where StateCode < 0 and Invalid = 0 and Del = 0 group by FormID,FormsID)) " + //四阶 排除已完成的记录 - "and FormNumber not in (select FormNumber from FormApprovalRecords where WorkFlowID in (select WFID from WorkFlow where Invalid=0 and Del=0 and FlowCode = 'Finish') and Invalid=0 and Del=0 and StateCode > 0 and UID = " + UID + " ) " + - "and a.Invalid = 0 and a.Del = 0 and b.Invalid = 0 and b.Del = 0 and a.UID = " + UID + " order by FARID desc"; - DataTable _dt6 = MsSQLDbHelper.Query(_sql6).Tables[0]; + "and FormNumber not in (select FormNumber from FormApprovalRecords where WorkFlowID in (select WFID from WorkFlow where Invalid=0 and Del=0 and FlowCode = 'Finish') and Invalid=0 and Del=0 and StateCode > 0 and UID = @UID ) " + + "and a.Invalid = 0 and a.Del = 0 and b.Invalid = 0 and b.Del = 0 and a.UID = @UID order by FARID desc"; + DataTable _dt6 = MsSQLDbHelper.Query(_sql6, new SqlParameter("@UID", UID)).Tables[0]; MyApplyAccepting = _dt6.Rows.Count.ToString(); if (_dt6.Rows.Count > 0) aMyApplyAccepting.Attributes.Add("lay-href", "/Views/Forms/MicroPublicFormList/View/MyApplyAccepting/" + ModuleID); //我的申请完成 - string _sql7 = "select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID where WorkFlowID in (select WFID from WorkFlow where Invalid=0 and Del=0 and FlowCode='Finish') and StateCode>0 and a.UID=" + UID + " and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; - DataTable _dt7 = MsSQLDbHelper.Query(_sql7).Tables[0]; + string _sql7 = "select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID where WorkFlowID in (select WFID from WorkFlow where Invalid=0 and Del=0 and FlowCode='Finish') and StateCode>0 and a.UID=@UID and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; + DataTable _dt7 = MsSQLDbHelper.Query(_sql7, new SqlParameter("@UID", UID)).Tables[0]; MyApplyFinish = _dt7.Rows.Count.ToString(); if (_dt7.Rows.Count > 0) aMyApplyFinish.Attributes.Add("lay-href", "/Views/Forms/MicroPublicFormList/View/MyApplyFinish/" + ModuleID); //我的申请驳回 - string _sql8 = "select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID where FARID in (select max(FARID) from FormApprovalRecords where StateCode = -1 and Invalid = 0 and Del = 0 group by FormID,FormsID) and a.UID = " + UID + " and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; - DataTable _dt8 = MsSQLDbHelper.Query(_sql8).Tables[0]; + string _sql8 = "select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID where FARID in (select max(FARID) from FormApprovalRecords where StateCode = -1 and Invalid = 0 and Del = 0 group by FormID,FormsID) and a.UID = @UID and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; + DataTable _dt8 = MsSQLDbHelper.Query(_sql8, new SqlParameter("@UID", UID)).Tables[0]; MyApplyReject = _dt8.Rows.Count.ToString(); if (_dt8.Rows.Count > 0) aMyApplyReject.Attributes.Add("lay-href", "/Views/Forms/MicroPublicFormList/View/MyApplyReject/" + ModuleID); //我的申请撤回 - string _sql9 = "select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID where FARID in (select max(FARID) from FormApprovalRecords where (StateCode = -4 or StateCode = 15) and Invalid = 0 and Del = 0 group by FormID,FormsID) and a.UID = " + UID + " and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; - DataTable _dt9 = MsSQLDbHelper.Query(_sql9).Tables[0]; + string _sql9 = "select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID where FARID in (select max(FARID) from FormApprovalRecords where (StateCode = -4 or StateCode = 15) and Invalid = 0 and Del = 0 group by FormID,FormsID) and a.UID = @UID and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; + DataTable _dt9 = MsSQLDbHelper.Query(_sql9, new SqlParameter("@UID", UID)).Tables[0]; MyApplyWithdrawal = _dt9.Rows.Count.ToString(); if (_dt9.Rows.Count > 0) aMyApplyWithdrawal.Attributes.Add("lay-href", "/Views/Forms/MicroPublicFormList/View/MyApplyWithdrawal/" + ModuleID); @@ -187,8 +187,8 @@ protected void Page_Load(object sender, EventArgs e) //三阶 去除在任意审批阶段被驳回的记录 (注:申请、受理、结案不算审批阶段) "and FormNumber not in(select FormNumber from FormApprovalRecords where FARID in (select max(FARID) from FormApprovalRecords where StateCode < 0 and Invalid = 0 and Del = 0 group by FormID,FormsID)) " + //四阶 与我相关的 - "and CHARINDEX(',' + convert(varchar, " + UID + ") + ',',',' + CanApprovalUID + ',')> 0 and a.Invalid = 0 and a.Del = 0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; - DataTable _dt11 = MsSQLDbHelper.Query(_sql11).Tables[0]; + "and CHARINDEX(',' + convert(varchar, @UID) + ',',',' + CanApprovalUID + ',')> 0 and a.Invalid = 0 and a.Del = 0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; + DataTable _dt11 = MsSQLDbHelper.Query(_sql11, new SqlParameter("@UID", UID)).Tables[0]; PendingMyApproval = _dt11.Rows.Count.ToString(); if (_dt11.Rows.Count > 0) { @@ -210,11 +210,11 @@ protected void Page_Load(object sender, EventArgs e) //四阶 去除在任意审批阶段被驳回的记录 (注:申请、受理、结案不算审批阶段) "and FormNumber not in(select FormNumber from FormApprovalRecords where FARID in (select max(FARID) from FormApprovalRecords where StateCode < 0 and Invalid = 0 and Del = 0 group by FormID,FormsID)) " + //五阶 Invalid = 0 and Del = 1并且需要我进行处理的 (即 CHARINDEX(',' + convert(varchar, 362) + ',',',' + CanApprovalUID + ',')> 0 ) - "and a.Invalid = 0 and a.Del = 0 and CHARINDEX(',' + convert(varchar, " + UID + ") + ',',',' + CanApprovalUID + ',')> 0 ) " + + "and a.Invalid = 0 and a.Del = 0 and CHARINDEX(',' + convert(varchar, @UID) + ',',',' + CanApprovalUID + ',')> 0 ) " + //六阶 或者(或运算)得到不需要审批的表单在受理阶段的记录并且需要我进行处理的 (注意:FormID = 0) "or (FARID in (select FARID from FormApprovalRecords where Invalid = 0 and Del = 0 and WorkFlowID in (select WFID from WorkFlow where Invalid = 0 and Del = 0 and FormID = 0 and FlowCode = 'Accept') and StateCode = 0 " + - "and CHARINDEX(',' + convert(varchar, " + UID + ") + ',',',' + CanApprovalUID + ',')> 0)) order by FARID desc"; - DataTable _dt12 = MsSQLDbHelper.Query(_sql12).Tables[0]; + "and CHARINDEX(',' + convert(varchar, @UID) + ',',',' + CanApprovalUID + ',')> 0)) order by FARID desc"; + DataTable _dt12 = MsSQLDbHelper.Query(_sql12, new SqlParameter("@UID", UID)).Tables[0]; PendingMyAccept = _dt12.Rows.Count.ToString(); if (_dt12.Rows.Count > 0) aPendingMyAccept.Attributes.Add("lay-href", "/Views/Forms/MicroPublicFormList/View/PendingMyAccept/" + ModuleID); @@ -226,20 +226,20 @@ protected void Page_Load(object sender, EventArgs e) //二阶 得到在受理阶段已经经过受理的记录 "where FormNumber in( " + "select FormNumber from FormApprovalRecords where FARID in (select max(FARID) from FormApprovalRecords where WorkFlowID in (select WFID from WorkFlow where Invalid=0 and Del=0 and FlowCode = 'Accept') and Invalid=0 and Del=0 group by FormID,FormsID) " + - "and StateCode>0 and ApprovalUID=" + UID + ") " + + "and StateCode>0 and ApprovalUID=@UID) " + //三阶 并且在结案阶段但未结案的 "and WorkFlowID in (select WFID from WorkFlow where Invalid=0 and Del=0 and FlowCode = 'Finish') and StateCode = 0 " + //四阶 去除在任意审批阶段被驳回的记录 "and FormNumber not in(select FormNumber from FormApprovalRecords where FARID in (select max(FARID) from FormApprovalRecords where StateCode < 0 and Invalid = 0 and Del = 0 group by FormID,FormsID)) " + - "and CHARINDEX(',' + convert(varchar, " + UID + ") + ',',',' + CanApprovalUID + ',')> 0 and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; - DataTable _dt13 = MsSQLDbHelper.Query(_sql13).Tables[0]; + "and CHARINDEX(',' + convert(varchar, @UID) + ',',',' + CanApprovalUID + ',')> 0 and a.Invalid=0 and a.Del=0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; + DataTable _dt13 = MsSQLDbHelper.Query(_sql13, new SqlParameter("@UID", UID)).Tables[0]; Accepting = _dt13.Rows.Count.ToString(); if (_dt13.Rows.Count > 0) aAccepting.Attributes.Add("lay-href", "/Views/Forms/MicroPublicFormList/View/Accepting/" + ModuleID); //我处完成 Update 20201214 - string _sql14 = "select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID where WorkFlowID in (select WFID from WorkFlow where FlowCode='Finish') and StateCode>0 and ApprovalUID= " + UID + " and CHARINDEX(',' + convert(varchar, " + UID + ") + ',', ',' + CanApprovalUID + ',') > 0 and a.Invalid = 0 and a.Del = 0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; - DataTable _dt14 = MsSQLDbHelper.Query(_sql14).Tables[0]; + string _sql14 = "select a.*,b.FormName,b.ShortTableName,c.EMail,c.WorkTel,c.WorkMobilePhone,c.AdDepartment from FormApprovalRecords a left join Forms b on a.FormID=b.FormID left join UserInfo c on a.UID=c.UID where WorkFlowID in (select WFID from WorkFlow where FlowCode='Finish') and StateCode>0 and ApprovalUID= @UID and CHARINDEX(',' + convert(varchar, @UID) + ',', ',' + CanApprovalUID + ',') > 0 and a.Invalid = 0 and a.Del = 0 and b.Invalid = 0 and b.Del = 0 order by FARID desc"; + DataTable _dt14 = MsSQLDbHelper.Query(_sql14, new SqlParameter("@UID", UID)).Tables[0]; Finish = _dt14.Rows.Count.ToString(); if (_dt14.Rows.Count > 0) aFinish.Attributes.Add("lay-href", "/Views/Forms/MicroPublicFormList/View/Finish/" + ModuleID); diff --git a/Views/Home/PendingMyApproval.aspx.cs b/Views/Home/PendingMyApproval.aspx.cs index 86350a0..0000bd3 100644 --- a/Views/Home/PendingMyApproval.aspx.cs +++ b/Views/Home/PendingMyApproval.aspx.cs @@ -68,8 +68,8 @@ protected string GetPendingMyApproval() protected string GetPendingMyApprovalList(string FCID) { string flag = string.Empty; - string _sql = " select FormID,FormName,ShortTableName from Forms where Invalid=0 and Del=0 and FCID=" + FCID.toInt() + " order by Sort"; - DataTable _dt = MsSQLDbHelper.Query(_sql).Tables[0]; + string _sql = " select FormID,FormName,ShortTableName from Forms where Invalid=0 and Del=0 and FCID=@FCID order by Sort"; + DataTable _dt = MsSQLDbHelper.Query(_sql, new SqlParameter("@FCID", FCID.toInt())).Tables[0]; if (_dt != null && _dt.Rows.Count > 0) { @@ -100,9 +100,9 @@ protected string GetPendingMyApprovalList(string FCID) //三阶 去除在任意审批阶段被驳回的记录 (注:申请、受理、结案不算审批阶段) "and FormNumber not in(select FormNumber from FormApprovalRecords where FARID in (select max(FARID) from FormApprovalRecords where StateCode < 0 and Invalid = 0 and Del = 0 group by FormID,FormsID)) " + //四阶 与我相关的 - "and CHARINDEX(',' + convert(varchar, " + UID + ") + ',',',' + CanApprovalUID + ',')> 0 and a.Invalid = 0 and a.Del = 0 and b.Invalid = 0 and b.Del = 0 and a.FormID=" + FormID.toInt() + ""; + "and CHARINDEX(',' + convert(varchar, " + UID + ") + ',',',' + CanApprovalUID + ',')> 0 and a.Invalid = 0 and a.Del = 0 and b.Invalid = 0 and b.Del = 0 and a.FormID=@FormID"; - DataTable _dt2 = MsSQLDbHelper.Query(_sql2).Tables[0]; + DataTable _dt2 = MsSQLDbHelper.Query(_sql2, new SqlParameter("@FormID", FormID.toInt())).Tables[0]; if (_dt2.Rows.Count > 0) { diff --git a/Views/Info/Detail.aspx.cs b/Views/Info/Detail.aspx.cs index 5ff1330..5efaa5f 100644 --- a/Views/Info/Detail.aspx.cs +++ b/Views/Info/Detail.aspx.cs @@ -47,16 +47,22 @@ protected string GetDetail() DataTable _dt = MsSQLDbHelper.Query(_sql, _sp).Tables[0]; //得到当前用户角色 - string _sqlUserRoles = "select * from UserRoles where Invalid=0 and Del=0 and UID=" + UID + ""; - DataTable _dtUserRoles = MsSQLDbHelper.Query(_sqlUserRoles).Tables[0]; + string _sqlUserRoles = "select * from UserRoles where Invalid=0 and Del=0 and UID=@UID"; + SqlParameter[] _spUserRoles = { new SqlParameter("@UID", SqlDbType.Int) }; + _spUserRoles[0].Value = UID; + DataTable _dtUserRoles = MsSQLDbHelper.Query(_sqlUserRoles, _spUserRoles).Tables[0]; //得到当前用户职位 - string _sqlJobTitle = "select * from UserJobTitle where Invalid=0 and Del=0 and UID=" + UID + ""; - DataTable _dtJobTitle = MsSQLDbHelper.Query(_sqlJobTitle).Tables[0]; + string _sqlJobTitle = "select * from UserJobTitle where Invalid=0 and Del=0 and UID=@UID"; + SqlParameter[] _spJobTitle = { new SqlParameter("@UID", SqlDbType.Int) }; + _spJobTitle[0].Value = UID; + DataTable _dtJobTitle = MsSQLDbHelper.Query(_sqlJobTitle, _spJobTitle).Tables[0]; //得到当前用户部门 - string _sqlUserDepts = "select * from UserDepts where Invalid=0 and Del=0 and UID=" + UID + ""; - DataTable _dtUserDepts = MsSQLDbHelper.Query(_sqlUserDepts).Tables[0]; + string _sqlUserDepts = "select * from UserDepts where Invalid=0 and Del=0 and UID=@UID"; + SqlParameter[] _spUserDepts = { new SqlParameter("@UID", SqlDbType.Int) }; + _spUserDepts[0].Value = UID; + DataTable _dtUserDepts = MsSQLDbHelper.Query(_sqlUserDepts, _spUserDepts).Tables[0]; if (_dt.Rows.Count > 0) { diff --git a/Views/Info/GlobalTips.aspx.cs b/Views/Info/GlobalTips.aspx.cs index fba8742..c34892c 100644 --- a/Views/Info/GlobalTips.aspx.cs +++ b/Views/Info/GlobalTips.aspx.cs @@ -44,8 +44,8 @@ protected void Page_Load(object sender, EventArgs e) if (!string.IsNullOrEmpty(MaxDateCreated) && DateCreated.toDateTime("yyyy-MM-dd") == MaxDateCreated.toDateTime("yyyy-MM-dd") && MicroPublic.GetMicroInfo("InfoNewTips").toBoolean()) NewTips = ""; - flag += "
  • " + _dt.Rows[i]["InfoClassName"].toStringTrim() + ""; - flag += "" + _dt.Rows[i]["Title"].toStringTrim() + "" + NewTips + "" + DateCreated.toDateFormat("yyyy-MM-dd HH:mm") + ""; + flag += "
  • " + HttpUtility.HtmlEncode(_dt.Rows[i]["InfoClassName"].toStringTrim()) + ""; + flag += "" + HttpUtility.HtmlEncode(_dt.Rows[i]["Title"].toStringTrim()) + "" + NewTips + "" + DateCreated.toDateFormat("yyyy-MM-dd HH:mm") + ""; flag += "
    • "; } diff --git a/Views/Info/List.aspx.cs b/Views/Info/List.aspx.cs index 76e0574..e1f9197 100644 --- a/Views/Info/List.aspx.cs +++ b/Views/Info/List.aspx.cs @@ -63,12 +63,12 @@ private string GetInfo(Boolean ApprovalPermit, Boolean EditPermit, Boolean EditA if (InfoClassID.toInt() != 0) { //默认显示当前分类及所有子分类 - InfoClassIDStr = " and InfoClassID in (select ICID from InformationClass where Invalid=0 and Del=0 and LevelCode like (select LevelCode+'%' from InformationClass where ICID=" + InfoClassID.toInt() + ")) "; + InfoClassIDStr = " and InfoClassID in (select ICID from InformationClass where Invalid=0 and Del=0 and LevelCode like (select LevelCode+'%' from InformationClass where ICID=@InfoClassID)) "; //如果设置为False时则仅显示当前分类 Boolean InfoDisplayMode = MicroPublic.GetMicroInfo("InfoDisplayMode").toBoolean(); if (!InfoDisplayMode) - InfoClassIDStr = " and InfoClassID in(select ICID from InformationClass where Invalid=0 and Del=0 and (ICID=" + InfoClassID.toInt() + " or ParentID=" + InfoClassID.toInt() + "))"; + InfoClassIDStr = " and InfoClassID in(select ICID from InformationClass where Invalid=0 and Del=0 and (ICID=@InfoClassID or ParentID=@InfoClassID))"; } else if (InfoClassID.toInt() == 0 && string.IsNullOrEmpty(Keyword)) //代表是打开首页 @@ -91,29 +91,35 @@ private string GetInfo(Boolean ApprovalPermit, Boolean EditPermit, Boolean EditA string _sql = "select a.*,b.InfoClassName,b.Description from Information a left join InformationClass b on a.InfoClassID=b.ICID where a.Del=0 " + Invalid + " and PushToInfoPlatform=1 " + InfoClassIDStr + KeywordQueryStr + " order by DateCreated desc"; - SqlParameter[] _sp = { new SqlParameter("@Keyword", SqlDbType.NVarChar), }; + SqlParameter[] _sp = { + new SqlParameter("@Keyword", SqlDbType.NVarChar), + new SqlParameter("@InfoClassID", SqlDbType.Int) + }; _sp[0].Value = Keyword; + _sp[1].Value = InfoClassID.toInt(); DataTable _dt = MsSQLDbHelper.Query(_sql, _sp).Tables[0]; DataTable TargetDT = _dt.Clone(); //得到当前用户角色 - string _sqlUserRoles = "select * from UserRoles where Invalid=0 and Del=0 and UID=" + UID + ""; - DataTable _dtUserRoles = MsSQLDbHelper.Query(_sqlUserRoles).Tables[0]; + string _sqlUserRoles = "select * from UserRoles where Invalid=0 and Del=0 and UID=@UID"; + SqlParameter[] _spUserRoles = { new SqlParameter("@UID", SqlDbType.Int) }; + _spUserRoles[0].Value = UID; + DataTable _dtUserRoles = MsSQLDbHelper.Query(_sqlUserRoles, _spUserRoles).Tables[0]; //得到当前用户职位 - string _sqlJobTitle = "select * from UserJobTitle where Invalid=0 and Del=0 and UID=" + UID + ""; - DataTable _dtJobTitle = MsSQLDbHelper.Query(_sqlJobTitle).Tables[0]; + string _sqlJobTitle = "select * from UserJobTitle where Invalid=0 and Del=0 and UID=@UID"; + DataTable _dtJobTitle = MsSQLDbHelper.Query(_sqlJobTitle, _spUserRoles).Tables[0]; //得到当前用户部门 - string _sqlUserDepts = "select * from UserDepts where Invalid=0 and Del=0 and UID=" + UID + ""; - DataTable _dtUserDepts = MsSQLDbHelper.Query(_sqlUserDepts).Tables[0]; + string _sqlUserDepts = "select * from UserDepts where Invalid=0 and Del=0 and UID=@UID"; + DataTable _dtUserDepts = MsSQLDbHelper.Query(_sqlUserDepts, _spUserRoles).Tables[0]; if (_dt.Rows.Count > 0) { string MaxDateCreated = string.Empty; string _sqlMaxDateCreated = "select max(DateCreated) as DateCreated from Information where Invalid=0 and Del=0 and PushToInfoPlatform=1 " + InfoClassIDStr; //加入只在首页显示的板块进行查询 - DataTable _dtMaxDateCreated = MsSQLDbHelper.Query(_sqlMaxDateCreated).Tables[0]; + DataTable _dtMaxDateCreated = MsSQLDbHelper.Query(_sqlMaxDateCreated, _sp).Tables[0]; if (_dtMaxDateCreated.Rows.Count > 0) MaxDateCreated = _dtMaxDateCreated.Rows[0]["DateCreated"].toStringTrim(); diff --git a/Views/Set/Navigation.aspx.cs b/Views/Set/Navigation.aspx.cs index 159b003..72bef59 100644 --- a/Views/Set/Navigation.aspx.cs +++ b/Views/Set/Navigation.aspx.cs @@ -25,7 +25,8 @@ protected void Page_Load(object sender, EventArgs e) var GetTableAttr = MicroDTHelper.MicroDataTable.GetTableAttr(MicroPublic.GetTableName(ShortTableName)); txtPrimaryKeyName.Value = "data." + GetTableAttr.PrimaryKeyName; - divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID); + // Sanitize the HTML content to prevent XSS + divScript.InnerHtml = HttpUtility.HtmlEncode(MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID)); //txtMID.Value = MicroPublic.GetFriendlyUrlParm(0); //divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl("Mod"); diff --git a/Views/Stats/Attendance/Js/UserOnDuty.js b/Views/Stats/Attendance/Js/UserOnDuty.js index 23dcfed..121e668 100644 --- a/Views/Stats/Attendance/Js/UserOnDuty.js +++ b/Views/Stats/Attendance/Js/UserOnDuty.js @@ -196,7 +196,7 @@ }, GetTable: function (v) { - v = v || eval('({\"code\": 0,\"msg\": \"数据读取失败
    データの読み込みに失敗しました
    Data reading failed\",\"count\":0,\"cols\": [],\"data\": [] })'); + v = v || { "code": 0, "msg": "数据读取失败
    データの読み込みに失敗しました
    Data reading failed", "count": 0, "cols": [], "data": [] }; table.render({ elem: '#tabTable' @@ -209,7 +209,7 @@ , even: true , height:'full-120' , cellMinWidth: 60 - , cols: [eval(v.cols)] + , cols: v.cols , page: true , limit: 100 , limits: [100,200,300,400,500,600,700,800,900,1000] diff --git a/Views/Stats/Attendance/UserOnDuty.aspx.cs b/Views/Stats/Attendance/UserOnDuty.aspx.cs index 2dcefcf..1408224 100644 --- a/Views/Stats/Attendance/UserOnDuty.aspx.cs +++ b/Views/Stats/Attendance/UserOnDuty.aspx.cs @@ -19,18 +19,18 @@ protected void Page_Load(object sender, EventArgs e) { //动作Action 可选值Add、Modify、View string Action = MicroPublic.GetFriendlyUrlParm(0); - txtAction.Value = Action; + txtAction.Value = HttpUtility.HtmlEncode(Action); // Encode to prevent XSS string ShortTableName = MicroPublic.GetFriendlyUrlParm(1); - txtShortTableName.Value = ShortTableName; + txtShortTableName.Value = HttpUtility.HtmlEncode(ShortTableName); // Encode to prevent XSS string ModuleID = MicroPublic.GetFriendlyUrlParm(2); - txtMID.Value = ModuleID; + txtMID.Value = HttpUtility.HtmlEncode(ModuleID); // Encode to prevent XSS string CurrDate = DateTime.Now.toDateFormat(); - txtDateRange.Value = CurrDate.toDateMFirstDay() + " ~ " + CurrDate.toDateMLastDay(); + txtDateRange.Value = HttpUtility.HtmlEncode(CurrDate.toDateMFirstDay() + " ~ " + CurrDate.toDateMLastDay()); // Encode to prevent XSS - divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID); + divScript.InnerHtml = HttpUtility.HtmlEncode(MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID)); // Encode to prevent XSS //检查是否已经登录和页面唯一识别是否一致(ShortTableName) MicroAuth.CheckAuth(ModuleID, ShortTableName); @@ -76,8 +76,12 @@ protected string GetDeptNav() else //只能查看自己时也列出自部门的父部门,便于生成菜单 DeptIDs = MicroUserInfo.GetUserInfo("ParentDeptsID") + "," + MicroUserInfo.GetUserInfo("SubDeptsID"); //只能查看自部门时也一样。 - string _sql = "select * from Department where Invalid=0 and Del=0 and DeptID in (" + DeptIDs + ")"; - DataTable _dt = MicroDBHelper.MsSQLDbHelper.Query(_sql).Tables[0]; //得到_dt作为自定义DataTable通过MicroDataTable.GetDataTable方法进行查询记录(该方法的特点如是有父记录的表会追加MainSub等相关属性返回) + // Use parameterized query to prevent SQL Injection + string _sql = "select * from Department where Invalid=0 and Del=0 and DeptID in (@DeptIDs)"; + var parameters = new SqlParameter[] { + new SqlParameter("@DeptIDs", DeptIDs) + }; + DataTable _dt = MicroDBHelper.MsSQLDbHelper.Query(_sql, parameters).Tables[0]; //得到_dt作为自定义DataTable通过MicroDataTable.GetDataTable方法进行查询记录(该方法的特点如是有父记录的表会追加MainSub等相关属性返回) if (_dt != null && _dt.Rows.Count > 0) _dt = MicroDataTable.GetDataTable("Dept", true, _dt); @@ -97,12 +101,12 @@ protected string GetDeptNav() int i = 0; foreach (DataRow _dr in _rows) { - string MainSub = _dr["MainSub"].toStringTrim() == "Main" ? "" : _dr["MainSub"].toStringTrim() + " ", - Name = _dr["DeptName"].toStringTrim(), + string MainSub = HttpUtility.HtmlEncode(_dr["MainSub"].toStringTrim() == "Main" ? "" : _dr["MainSub"].toStringTrim() + " "), + Name = HttpUtility.HtmlEncode(_dr["DeptName"].toStringTrim()), Name2 = Name, - AdDepartment = _dr["AdDepartment"].toStringTrim(), - ParentID = _dr["ParentID"].toStringTrim(), - ID = _dr["DeptID"].toStringTrim(); + AdDepartment = HttpUtility.HtmlEncode(_dr["AdDepartment"].toStringTrim()), + ParentID = HttpUtility.HtmlEncode(_dr["ParentID"].toStringTrim()), + ID = HttpUtility.HtmlEncode(_dr["DeptID"].toStringTrim()); //Name = _dr["MainSub"].toStringTrim() == "Main" ? "" + Name + "" : MainSub + Name; @@ -130,7 +134,7 @@ protected string GetDeptNav() flag = _li; } - catch (Exception ex) { flag = ex.ToString(); } + catch (Exception ex) { flag = HttpUtility.HtmlEncode(ex.ToString()); } // Encode to prevent XSS return flag; @@ -164,8 +168,8 @@ protected string GetJobTitleNav() foreach (DataRow _dr in _rows) { - string Name = _dr["JobTitleName"].toStringTrim(); - string ID = _dr["JTID"].toStringTrim(); + string Name = HttpUtility.HtmlEncode(_dr["JobTitleName"].toStringTrim()); + string ID = HttpUtility.HtmlEncode(_dr["JTID"].toStringTrim()); _li += "
    " + Name + ""; @@ -185,7 +189,7 @@ protected string GetJobTitleNav() flag = _li; } - catch (Exception ex) { flag = ex.ToString(); } + catch (Exception ex) { flag = HttpUtility.HtmlEncode(ex.ToString()); } // Encode to prevent XSS return flag; } @@ -215,8 +219,8 @@ protected string GetRolesNav() foreach (DataRow _dr in _rows) { - string Name = _dr["RoleName"].toStringTrim(); - string ID = _dr["RID"].toStringTrim(); + string Name = HttpUtility.HtmlEncode(_dr["RoleName"].toStringTrim()); + string ID = HttpUtility.HtmlEncode(_dr["RID"].toStringTrim()); _li += "
    " + Name + ""; diff --git a/Views/Stats/Attendance/UserOvertime.aspx.cs b/Views/Stats/Attendance/UserOvertime.aspx.cs index b26ada8..10edb63 100644 --- a/Views/Stats/Attendance/UserOvertime.aspx.cs +++ b/Views/Stats/Attendance/UserOvertime.aspx.cs @@ -17,18 +17,18 @@ protected void Page_Load(object sender, EventArgs e) { //动作Action 可选值Add、Modify、View string Action = MicroPublic.GetFriendlyUrlParm(0); - txtAction.Value = Action; + txtAction.Value = HttpUtility.HtmlEncode(Action); // Sanitize for XSS string ShortTableName = MicroPublic.GetFriendlyUrlParm(1); - txtShortTableName.Value = ShortTableName; + txtShortTableName.Value = HttpUtility.HtmlEncode(ShortTableName); // Sanitize for XSS string ModuleID = MicroPublic.GetFriendlyUrlParm(2); - txtMID.Value = ModuleID; + txtMID.Value = HttpUtility.HtmlEncode(ModuleID); // Sanitize for XSS string CurrDate = DateTime.Now.toDateFormat(); - txtDateRange.Value = CurrDate.toDateMFirstDay() + " ~ " + CurrDate.toDateMLastDay(); + txtDateRange.Value = HttpUtility.HtmlEncode(CurrDate.toDateMFirstDay() + " ~ " + CurrDate.toDateMLastDay()); // Sanitize for XSS - divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID); + divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(HttpUtility.HtmlEncode(ShortTableName), HttpUtility.HtmlEncode(ModuleID)); // Sanitize for XSS //检查是否已经登录和页面唯一识别是否一致(ShortTableName) MicroAuth.CheckAuth(ModuleID, ShortTableName); @@ -114,8 +114,11 @@ protected string GetDeptNav() else //只能查看自己时也列出自部门的父部门,便于生成菜单 DeptIDs = MicroUserInfo.GetUserInfo("ParentDeptsID") + "," + MicroUserInfo.GetUserInfo("SubDeptsID"); //只能查看自部门时也一样。 - string _sql = "select * from Department where Invalid=0 and Del=0 and DeptID in (" + DeptIDs + ")"; - DataTable _dt = MicroDBHelper.MsSQLDbHelper.Query(_sql).Tables[0]; //得到_dt作为自定义DataTable通过MicroDataTable.GetDataTable方法进行查询记录(该方法的特点如是有父记录的表会追加MainSub等相关属性返回) + string _sql = "select * from Department where Invalid=0 and Del=0 and DeptID in (@DeptIDs)"; + var parameters = new SqlParameter[] { + new SqlParameter("@DeptIDs", DeptIDs) + }; + DataTable _dt = MicroDBHelper.MsSQLDbHelper.Query(_sql, parameters).Tables[0]; // Use parameterized query to prevent SQL Injection if (_dt != null && _dt.Rows.Count > 0) _dt = MicroDataTable.GetDataTable("Dept", true, _dt); @@ -136,9 +139,9 @@ protected string GetDeptNav() foreach (DataRow _dr in _rows) { string MainSub = _dr["MainSub"].toStringTrim() == "Main" ? "" : _dr["MainSub"].toStringTrim() + " ", - Name = _dr["DeptName"].toStringTrim(), + Name = HttpUtility.HtmlEncode(_dr["DeptName"].toStringTrim()), // Sanitize for XSS Name2 = Name, - AdDepartment = _dr["AdDepartment"].toStringTrim(), + AdDepartment = HttpUtility.HtmlEncode(_dr["AdDepartment"].toStringTrim()), // Sanitize for XSS ParentID = _dr["ParentID"].toStringTrim(), ID = _dr["DeptID"].toStringTrim(); @@ -168,7 +171,7 @@ protected string GetDeptNav() flag = _li; } - catch (Exception ex) { flag = ex.ToString(); } + catch (Exception ex) { flag = HttpUtility.HtmlEncode(ex.ToString()); } // Sanitize for XSS return flag; @@ -202,7 +205,7 @@ protected string GetJobTitleNav() foreach (DataRow _dr in _rows) { - string Name = _dr["JobTitleName"].toStringTrim(); + string Name = HttpUtility.HtmlEncode(_dr["JobTitleName"].toStringTrim()); // Sanitize for XSS string ID = _dr["JTID"].toStringTrim(); _li += "
    " + Name + ""; @@ -223,7 +226,7 @@ protected string GetJobTitleNav() flag = _li; } - catch (Exception ex) { flag = ex.ToString(); } + catch (Exception ex) { flag = HttpUtility.HtmlEncode(ex.ToString()); } // Sanitize for XSS return flag; } @@ -253,7 +256,7 @@ protected string GetRolesNav() foreach (DataRow _dr in _rows) { - string Name = _dr["RoleName"].toStringTrim(); + string Name = HttpUtility.HtmlEncode(_dr["RoleName"].toStringTrim()); // Sanitize for XSS string ID = _dr["RID"].toStringTrim(); _li += "
    " + Name + ""; diff --git a/Views/Stats/General.aspx.cs b/Views/Stats/General.aspx.cs index 9ad861c..033625d 100644 --- a/Views/Stats/General.aspx.cs +++ b/Views/Stats/General.aspx.cs @@ -88,7 +88,7 @@ protected string GetOvertimeMeal() if (!string.IsNullOrEmpty(Location)) { Location = Location.toStringTrim(); - QueryFieldsStr = " and Location='" + Location + "'"; + QueryFieldsStr = " and Location=@Location"; KeywordStr = "Location_" + Location + ",Keyword_"; //构成:Location-Test,Keyword-午餐 } @@ -98,15 +98,17 @@ protected string GetOvertimeMeal() OvertimeMealName = _dt.Rows[i]["OvertimeMealName"].toStringTrim(), LayHref = string.Empty; - string _sql2 = " select OvertimeID,OvertimeMealID from HROvertime where Invalid=0 and Del=0 and ParentID<>0 and StateCode>=0 and CHARINDEX(','+convert(varchar," + OvertimeMealID.toInt() + ")+',',','+OvertimeMealID+',')>0 and OvertimeDate between @StartDate and @EndDate" + QueryFieldsStr; + string _sql2 = " select OvertimeID,OvertimeMealID from HROvertime where Invalid=0 and Del=0 and ParentID<>0 and StateCode>=0 and CHARINDEX(','+convert(varchar,@OvertimeMealID)+',',','+OvertimeMealID+',')>0 and OvertimeDate between @StartDate and @EndDate" + QueryFieldsStr; SqlParameter[] _sp2 = { new SqlParameter("@Location",SqlDbType.NVarChar,1000), new SqlParameter("@StartDate",SqlDbType.DateTime), new SqlParameter("@EndDate",SqlDbType.DateTime), + new SqlParameter("@OvertimeMealID", SqlDbType.Int) }; _sp2[0].Value = Location.toStringTrim(); _sp2[1].Value = StartDate.toDateTime(); _sp2[2].Value = EndDate.toDateTime(); + _sp2[3].Value = OvertimeMealID.toInt(); DataTable _dt2 = MsSQLDbHelper.Query(_sql2, _sp2).Tables[0]; @@ -167,7 +169,7 @@ protected string GetOnDuty() if (!string.IsNullOrEmpty(Location)) { Location = Location.toStringTrim(); - QueryFieldsStr = " and Location='" + Location + "'"; + QueryFieldsStr = " and Location=@Location"; KeywordStr = "Location_" + Location + ",Keyword_"; //构成:Location-Test,Keyword-午餐 } @@ -191,7 +193,7 @@ protected string GetOnDuty() ShiftName = _dt.Rows[i]["Alias"].toStringTrim(), LayHref = string.Empty; - int Count = _dt2.Compute("count(DutyUID)", "ShiftTypeID=" + ShiftTypeID).toInt(); + int Count = _dt2.Compute("count(DutyUID)", "ShiftTypeID=@ShiftTypeID").toInt(); if (Count > 0) LayHref = "lay-href=\"/Views/Forms/MicroFormList/View/OnDutyForm/4/13/1/DefaultNumber/GetOnDutyFormListByMeal/" + Server.UrlEncode(StartDate) + "/" + Server.UrlEncode(EndDate) + "/" + Server.UrlEncode(KeywordStr + ShiftName) + "/DutyDate\""; @@ -209,7 +211,7 @@ protected string GetOnDuty() string _sql3 = "select * from UserInfo where Invalid=0 and Del=0 and (UserName like 'RL%' or UserName like 'J0%')" + // like 'RL%' or 'J0%' 员工 //排除已写了排班申请的 但 不是GZ-平或WH-平 且不是取消班次的 - "and UID not in (select DutyUID from HROnDutyForm a where ParentID<>0 and Invalid = 0 and Del = 0 and StateCode>=0 and ShiftTypeID<>" + ShiftTypeID.toInt() + " and ShiftName<>'-' and DateCreated in (select max(b.DateCreated) from HROnDutyForm b where a.DutyUID = b.DutyUID and a.DutyDate = b.DutyDate) and DutyDate between @StartDate and @EndDate) " + + "and UID not in (select DutyUID from HROnDutyForm a where ParentID<>0 and Invalid = 0 and Del = 0 and StateCode>=0 and ShiftTypeID<>@ShiftTypeID and ShiftName<>'-' and DateCreated in (select max(b.DateCreated) from HROnDutyForm b where a.DutyUID = b.DutyUID and a.DutyDate = b.DutyDate) and DutyDate between @StartDate and @EndDate) " + //排除已休假的 "and UID not in (select LeaveUID from HRLeave where Invalid = 0 and Del = 0 and StateCode> 0 and StartDate<= @EndDate and EndDate>= @StartDate)" + @@ -222,9 +224,11 @@ protected string GetOnDuty() SqlParameter[] _sp3 = { new SqlParameter("@StartDate",SqlDbType.DateTime), new SqlParameter("@EndDate",SqlDbType.DateTime), + new SqlParameter("@ShiftTypeID", SqlDbType.Int) }; _sp3[0].Value = StartDate.toDateTime(); _sp3[1].Value = EndDate.toDateTime(); + _sp3[2].Value = ShiftTypeID.toInt(); DataTable _dt3 = MsSQLDbHelper.Query(_sql3, _sp3).Tables[0]; diff --git a/Views/UserCenter/Users.aspx.cs b/Views/UserCenter/Users.aspx.cs index d3a809f..86b1c1a 100644 --- a/Views/UserCenter/Users.aspx.cs +++ b/Views/UserCenter/Users.aspx.cs @@ -20,7 +20,7 @@ protected void Page_Load(object sender, EventArgs e) string ShortTableName = MicroPublic.GetFriendlyUrlParm(1); string ModuleID = MicroPublic.GetFriendlyUrlParm(2); txtMID.Value = ModuleID; - divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID); + divScript.InnerHtml = HttpUtility.HtmlEncode(MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID)); // Properly encode the output //检查是否已经登录和页面唯一识别是否一致(ShortTableName) MicroAuth.CheckAuth(ModuleID, ShortTableName); diff --git a/layuiadmin/lib/extend/micro.js b/layuiadmin/lib/extend/micro.js index e70e0fe..c4d236f 100644 --- a/layuiadmin/lib/extend/micro.js +++ b/layuiadmin/lib/extend/micro.js @@ -248,7 +248,12 @@ beforeSend: function () { }, success: function (data) { - eval(data); + // Removed the use of eval() for executing data + try { + new Function(data)(); + } catch (e) { + console.error("Error executing script: ", e); + } }, error: function () { }