[Autofic] Security Patch 2025-07-18

Resource/Js/Admin.js

@@ -15,7 +15,10 @@ function getRootPath() {
 //判断url是否在iframe打开
 if (window.frames.length == parent.frames.length) {
     //alert('不在iframe中' + window.document.location.href);
-    window.location.replace(getRootPath() + '/Views/Default?url=' + encodeURIComponent(window.document.location.href));
+    var currentUrl = window.document.location.href;
+    if (currentUrl.startsWith(getRootPath())) {
+        window.location.replace(getRootPath() + '/Views/Default?url=' + encodeURIComponent(currentUrl));
+    }
     //window.location.replace(getRootPath() + '/Views/Default?url=' + window.document.location.href);
 }
 

Resource/fullcalendar/examples/google-calendar.html

@@ -22,7 +22,7 @@
       // THIS KEY WON'T WORK IN PRODUCTION!!!
       // To make your own Google API key, follow the directions here:
       // http://fullcalendar.io/docs/google_calendar/
-      googleCalendarApiKey: 'AIzaSyDcnW6WejpTOCffshGDDb4neIrXVUA1EAE',
+      googleCalendarApiKey: process.env.GOOGLE_CALENDAR_API_KEY || '',
 
       // US Holidays
       events: 'en.usa#holiday@group.v.calendar.google.com',

Scripts/WebForms/SmartNav.js

@@ -31,7 +31,9 @@ if ((typeof(window.__smartNav) == "undefined") || (window.__smartNav == null))
 		var fdurlb = fdurl.split("?")[0];
 		if (document.location.href.indexOf(fdurlb) < 0)
 		{
-            document.location.href=fdurl;
+            // Sanitize the URL before redirecting
+            var sanitizedUrl = new URL(fdurl, window.location.origin).href;
+            document.location.href = sanitizedUrl;
 		    return;
 		}
 		sn._savedOnLoad = window.onload;

Views/Default.aspx

@@ -73,7 +73,7 @@
                   <i class="layui-icon layui-icon-notice"></i>    
                   <!-- 如果有新消息，则显示小圆点 -->
                   <%--<span class="layui-badge-dot"></span>--%>
-                  <span id="spanNotice"><%= Notice %></span>
+                  <span id="spanNotice"><%= HttpUtility.HtmlEncode(Notice) %></span>
                 </a>
               </li>
               <li style="left:12px;" class="layui-nav-item layui-hide-xs" lay-tips="配色方案" lay-unselect>
@@ -172,4 +172,4 @@
     <script src='<%: ResolveUrl("~/Views/Js/Default.js?ver="+ DateTime.Now.ToFileTime()+"")%>'></script>
     </form>
 </body>
-</html>
+</html>

Views/Default.aspx.cs

@@ -55,8 +55,10 @@ protected void Page_Load(object sender, EventArgs e)
                 }
 
                 //在线状态
-                string _sql2 = "select * from UserState where Invalid=0 and Del=0 and UID=" + UID;
-                DataTable _dt2 = MsSQLDbHelper.Query(_sql2).Tables[0];
+                string _sql2 = "select * from UserState where Invalid=0 and Del=0 and UID=@UID";
+                SqlParameter[] _sp2 = { new SqlParameter("@UID", SqlDbType.Int) };
+                _sp2[0].Value = UID.toInt();
+                DataTable _dt2 = MsSQLDbHelper.Query(_sql2, _sp2).Tables[0];
 
                 if (_dt2 != null && _dt2.Rows.Count > 0)
                 {

Views/Forms/Forms.aspx.cs

@@ -20,7 +20,7 @@ protected void Page_Load(object sender, EventArgs e)
         string ShortTableName = MicroPublic.GetFriendlyUrlParm(1);
         string ModuleID = MicroPublic.GetFriendlyUrlParm(2);
         txtMID.Value = ModuleID;
-        divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID);
+        divScript.InnerHtml = HttpUtility.HtmlEncode(MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID));
 
         //检查是否已经登录和页面唯一识别是否一致（ShortTableName）
         MicroAuth.CheckAuth(ModuleID, ShortTableName);

Views/Forms/HR/Js/LeaveForm.js

@@ -309,7 +309,7 @@
 
             var parms = { "Val": uid, "TypeID": holidayTypeID, "Date": encodeURI(overtimeDate), "TypeName": holidayTypeName };
             $.getJSON('/Views/Forms/HR/GetLeaveTips.ashx', parms, function (data) {
-                $('#divShowLeave').html(data.Tips);
+                $('#divShowLeave').html(escapeHtml(data.Tips)); // Escape HTML special characters
                 $('#hidAvailableNumber').val(data.Days);
 
                 leaveDays = $('#selLeaveDays').val();
@@ -497,4 +497,14 @@
 
     });
 
+    // Function to escape HTML special characters
+    function escapeHtml(unsafe) {
+        return unsafe
+            .replace(/&/g, "&")
+            .replace(/</g, "&lt;")
+            .replace(/>/g, "&gt;")
+            .replace(/"/g, "&quot;")
+            .replace(/'/g, "&#039;");
+    }
+
 });

Views/Forms/HR/OnDutyFormList.aspx.cs

@@ -39,7 +39,7 @@ protected void Page_Load(object sender, EventArgs e)
 
 
         var getFormAttr = MicroForm.GetFormAttr(ShortTableName, FormID);
-        spanTitle.InnerHtml = getFormAttr.FormName + getFormAttr.Description;  //表单名称和描述
+        spanTitle.InnerHtml = HttpUtility.HtmlEncode(getFormAttr.FormName + getFormAttr.Description);  //表单名称和描述
         spanWorkFlow.Visible = MicroAuth.CheckPermit(ModuleID, "3");  //是否显示修改流程
         string Note = getFormAttr.Note;
         if (!string.IsNullOrEmpty(Note))

Views/Forms/HR/OvertimeFormList.aspx.cs

@@ -41,13 +41,13 @@ protected void Page_Load(object sender, EventArgs e)
 
 
             var getFormAttr = MicroForm.GetFormAttr(ShortTableName, FormID);
-            spanTitle.InnerHtml = getFormAttr.FormName + getFormAttr.Description;  //表单名称和描述
+            spanTitle.InnerHtml = HttpUtility.HtmlEncode(getFormAttr.FormName + getFormAttr.Description);  //表单名称和描述
             spanWorkFlow.Visible = MicroAuth.CheckPermit(ModuleID, "3");  //是否显示修改流程
             string Note = getFormAttr.Note;
             if (!string.IsNullOrEmpty(Note))
             {
                 divNote.Visible = true;
-                spanNote.InnerHtml = Note;
+                spanNote.InnerHtml = HttpUtility.HtmlEncode(Note);
             }
 
             string FormsID = MicroPublic.GetFriendlyUrlParm(4);
@@ -152,9 +152,13 @@ protected void Page_Load(object sender, EventArgs e)
 
             //判断草稿箱是否有记录，若有记录要先处理掉才能进行新增操作
             string UID = MicroUserHelper.MicroUserInfo.GetUserInfo("UID");
-            string _sql = "select * from HROvertime where Invalid=0 and Del=0 and StateCode>=-4 and StateCode<=-1 and UID=" + UID.toInt() + " and OvertimeTypeID=(select OvertimeTypeID from HROvertimeType where Invalid=0 and Del=0 and FormID=@FormID)";
-            SqlParameter[] _sp = { new SqlParameter("@FormID", SqlDbType.Int) };
+            string _sql = "select * from HROvertime where Invalid=0 and Del=0 and StateCode>=-4 and StateCode<=-1 and UID=@UID and OvertimeTypeID=(select OvertimeTypeID from HROvertimeType where Invalid=0 and Del=0 and FormID=@FormID)";
+            SqlParameter[] _sp = {
+                new SqlParameter("@FormID", SqlDbType.Int),
+                new SqlParameter("@UID", SqlDbType.Int)
+            };
             _sp[0].Value = FormID.toInt();
+            _sp[1].Value = UID.toInt();
 
             DataTable _dt = MsSQLDbHelper.Query(_sql, _sp).Tables[0];
 

Views/Forms/MicroFormList.aspx.cs

@@ -106,7 +106,7 @@ protected void Page_Load(object sender, EventArgs e)
 
             if (_dt != null && _dt.Rows.Count > 0)
             {
-                string QueryBaseDescription = _dt.Rows[0]["QueryBaseDescription"].toStringTrim();
+                string QueryBaseDescription = HttpUtility.HtmlEncode(_dt.Rows[0]["QueryBaseDescription"].toStringTrim());
                 if (!string.IsNullOrEmpty(QueryBaseDescription))
                 {
                     iconDescription.Visible = true;

Views/Forms/SysFormList.aspx.cs

@@ -25,7 +25,7 @@ protected void Page_Load(object sender, EventArgs e)
         var GetTableAttr = MicroDTHelper.MicroDataTable.GetTableAttr(MicroPublic.GetTableName(ShortTableName));
         txtPrimaryKeyName.Value = "data." + GetTableAttr.PrimaryKeyName;
 
-        divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID);  //例FormAppType
+        divScript.InnerHtml = HttpUtility.HtmlEncode(MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID));  //例FormAppType
 
         MicroAuth.CheckBrowse(ModuleID);