HalngYao · eunsol1530 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
diff --git a/Resource/Js/Admin.js b/Resource/Js/Admin.js
@@ -14,8 +14,12 @@ function getRootPath() {
 
 //判断url是否在iframe打开
 if (window.frames.length == parent.frames.length) {
-    //alert('不在iframe中' + window.document.location.href);
-    window.location.replace(getRootPath() + '/Views/Default?url=' + encodeURIComponent(window.document.location.href));
+    // Validate the URL to prevent Open Redirect
+    var currentUrl = window.document.location.href;
+    var allowedDomain = getRootPath();
+    if (currentUrl.startsWith(allowedDomain)) {
+        window.location.replace(getRootPath() + '/Views/Default?url=' + encodeURIComponent(currentUrl));
+    }
     //window.location.replace(getRootPath() + '/Views/Default?url=' + window.document.location.href);
 }
 

diff --git a/Resource/fullcalendar/examples/google-calendar.html b/Resource/fullcalendar/examples/google-calendar.html
@@ -22,7 +22,7 @@
       // THIS KEY WON'T WORK IN PRODUCTION!!!
       // To make your own Google API key, follow the directions here:
       // http://fullcalendar.io/docs/google_calendar/
-      googleCalendarApiKey: 'AIzaSyDcnW6WejpTOCffshGDDb4neIrXVUA1EAE',
+      googleCalendarApiKey: process.env.GOOGLE_CALENDAR_API_KEY,
 
       // US Holidays
       events: 'en.usa#holiday@group.v.calendar.google.com',

diff --git a/Scripts/WebForms/SmartNav.js b/Scripts/WebForms/SmartNav.js
@@ -31,7 +31,10 @@ if ((typeof(window.__smartNav) == "undefined") || (window.__smartNav == null))
 		var fdurlb = fdurl.split("?")[0];
 		if (document.location.href.indexOf(fdurlb) < 0)
 		{
-            document.location.href=fdurl;
+            // Ensure the URL is within the expected domain
+            if (fdurl.startsWith(window.location.origin)) {
+                document.location.href = fdurl;
+            }
 		    return;
 		}
 		sn._savedOnLoad = window.onload;

diff --git a/Views/Default.aspx b/Views/Default.aspx
@@ -73,7 +73,7 @@
                   <i class="layui-icon layui-icon-notice"></i>    
                   <!-- 如果有新消息，则显示小圆点 -->
                   <%--<span class="layui-badge-dot"></span>--%>
-                  <span id="spanNotice"><%= Notice %></span>
+                  <span id="spanNotice"><%= HttpUtility.HtmlEncode(Notice) %></span>
                 </a>
               </li>
               <li style="left:12px;" class="layui-nav-item layui-hide-xs" lay-tips="配色方案" lay-unselect>
@@ -172,4 +172,4 @@
     <script src='<%: ResolveUrl("~/Views/Js/Default.js?ver="+ DateTime.Now.ToFileTime()+"")%>'></script>
     </form>
 </body>
-</html>
+</html>
diff --git a/Views/Default.aspx.cs b/Views/Default.aspx.cs
@@ -55,8 +55,10 @@ protected void Page_Load(object sender, EventArgs e)
                 }
 
                 //在线状态
-                string _sql2 = "select * from UserState where Invalid=0 and Del=0 and UID=" + UID;
-                DataTable _dt2 = MsSQLDbHelper.Query(_sql2).Tables[0];
+                string _sql2 = "select * from UserState where Invalid=0 and Del=0 and UID=@UID";
+                SqlParameter[] _sp2 = { new SqlParameter("@UID", SqlDbType.Int) };
+                _sp2[0].Value = UID.toInt();
+                DataTable _dt2 = MsSQLDbHelper.Query(_sql2, _sp2).Tables[0];
 
                 if (_dt2 != null && _dt2.Rows.Count > 0)
                 {

diff --git a/Views/Forms/Forms.aspx.cs b/Views/Forms/Forms.aspx.cs
@@ -20,7 +20,7 @@ protected void Page_Load(object sender, EventArgs e)
         string ShortTableName = MicroPublic.GetFriendlyUrlParm(1);
         string ModuleID = MicroPublic.GetFriendlyUrlParm(2);
         txtMID.Value = ModuleID;
-        divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID);
+        divScript.InnerHtml = HttpUtility.HtmlEncode(MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID)); // Sanitize the output
 
         //检查是否已经登录和页面唯一识别是否一致（ShortTableName）
         MicroAuth.CheckAuth(ModuleID, ShortTableName);

diff --git a/Views/Forms/HR/Js/LeaveForm.js b/Views/Forms/HR/Js/LeaveForm.js
@@ -309,7 +309,7 @@
 
             var parms = { "Val": uid, "TypeID": holidayTypeID, "Date": encodeURI(overtimeDate), "TypeName": holidayTypeName };
             $.getJSON('/Views/Forms/HR/GetLeaveTips.ashx', parms, function (data) {
-                $('#divShowLeave').html(data.Tips);
+                $('#divShowLeave').html(DOMPurify.sanitize(data.Tips)); // Sanitize the input before inserting into HTML
                 $('#hidAvailableNumber').val(data.Days);
 
                 leaveDays = $('#selLeaveDays').val();
@@ -346,7 +346,7 @@
         setLeaveEndDateTime: function (startDate, startTime, leaveDays, leaveHour, leaveUID) {
 
             var startDateTime = startDate + ' ' + startTime;
-            $.getJSON('/Views/Forms/HR/GetLeaveDateTime.ashx', { "StartDateTime": encodeURI(startDateTime), "LeaveDays": encodeURI(leaveDays), "LeaveHour": encodeURI(leaveHour), "LeaveUID": encodeURI(leaveUID) }, function (data) {
+            $..getJSON('/Views/Forms/HR/GetLeaveDateTime.ashx', { "StartDateTime": encodeURI(startDateTime), "LeaveDays": encodeURI(leaveDays), "LeaveHour": encodeURI(leaveHour), "LeaveUID": encodeURI(leaveUID) }, function (data) {
                 $('#txtEndDate').val(data[0].EndDate);
                 $('#txtEndTime').val(data[0].EndTime);
                 mGet.setHidStartEndDateTime(startDate, startTime, data[0].EndDate, data[0].EndTime);

diff --git a/Views/Forms/HR/OnDutyFormList.aspx.cs b/Views/Forms/HR/OnDutyFormList.aspx.cs
@@ -39,7 +39,7 @@ protected void Page_Load(object sender, EventArgs e)
 
 
         var getFormAttr = MicroForm.GetFormAttr(ShortTableName, FormID);
-        spanTitle.InnerHtml = getFormAttr.FormName + getFormAttr.Description;  //表单名称和描述
+        spanTitle.InnerHtml = HttpUtility.HtmlEncode(getFormAttr.FormName + getFormAttr.Description);  //表单名称和描述
         spanWorkFlow.Visible = MicroAuth.CheckPermit(ModuleID, "3");  //是否显示修改流程
         string Note = getFormAttr.Note;
         if (!string.IsNullOrEmpty(Note))

diff --git a/Views/Forms/HR/OvertimeFormList.aspx.cs b/Views/Forms/HR/OvertimeFormList.aspx.cs
@@ -41,13 +41,13 @@ protected void Page_Load(object sender, EventArgs e)
 
 
             var getFormAttr = MicroForm.GetFormAttr(ShortTableName, FormID);
-            spanTitle.InnerHtml = getFormAttr.FormName + getFormAttr.Description;  //表单名称和描述
+            spanTitle.InnerHtml = HttpUtility.HtmlEncode(getFormAttr.FormName + getFormAttr.Description);  //表单名称和描述
             spanWorkFlow.Visible = MicroAuth.CheckPermit(ModuleID, "3");  //是否显示修改流程
             string Note = getFormAttr.Note;
             if (!string.IsNullOrEmpty(Note))
             {
                 divNote.Visible = true;
-                spanNote.InnerHtml = Note;
+                spanNote.InnerHtml = HttpUtility.HtmlEncode(Note);
             }
 
             string FormsID = MicroPublic.GetFriendlyUrlParm(4);
@@ -73,8 +73,8 @@ protected void Page_Load(object sender, EventArgs e)
             if (!string.IsNullOrEmpty(ShortTableName) && !string.IsNullOrEmpty(FormID) && !string.IsNullOrEmpty(FormsID))
             {
                 var getFormRecordAttr = MicroWorkFlow.GetFormRecordAttr(ShortTableName, FormID, FormsID);
-                txtFormNumber.Value = getFormRecordAttr.FormNumber;
-                txtFormState.Value = getFormRecordAttr.FormState;
+                txtFormNumber.Value = HttpUtility.HtmlEncode(getFormRecordAttr.FormNumber);
+                txtFormState.Value = HttpUtility.HtmlEncode(getFormRecordAttr.FormState);
                 StateCode = getFormRecordAttr.StateCode;
                 IsRecordExists = getFormRecordAttr.IsRecordExists;
             }
@@ -152,9 +152,13 @@ protected void Page_Load(object sender, EventArgs e)
 
             //判断草稿箱是否有记录，若有记录要先处理掉才能进行新增操作
             string UID = MicroUserHelper.MicroUserInfo.GetUserInfo("UID");
-            string _sql = "select * from HROvertime where Invalid=0 and Del=0 and StateCode>=-4 and StateCode<=-1 and UID=" + UID.toInt() + " and OvertimeTypeID=(select OvertimeTypeID from HROvertimeType where Invalid=0 and Del=0 and FormID=@FormID)";
-            SqlParameter[] _sp = { new SqlParameter("@FormID", SqlDbType.Int) };
+            string _sql = "select * from HROvertime where Invalid=0 and Del=0 and StateCode>=-4 and StateCode<=-1 and UID=@UID and OvertimeTypeID=(select OvertimeTypeID from HROvertimeType where Invalid=0 and Del=0 and FormID=@FormID)";
+            SqlParameter[] _sp = {
+                new SqlParameter("@FormID", SqlDbType.Int),
+                new SqlParameter("@UID", SqlDbType.Int)
+            };
             _sp[0].Value = FormID.toInt();
+            _sp[1].Value = UID.toInt();
 
             DataTable _dt = MsSQLDbHelper.Query(_sql, _sp).Tables[0];
 

diff --git a/Views/Forms/MicroFormApproval.aspx.cs b/Views/Forms/MicroFormApproval.aspx.cs
@@ -345,9 +345,10 @@ private string GetBatchApprovalHtmlCode(string Action, string ShortTableName, st
 
                 if (_dt2 != null && _dt2.Rows.Count > 0)
                 {
-                    string _sql3 = "select a.*,b.WFID ,b.FlowName ,b.FlowCode ,b.Alias ,b.EffectiveType ,b.EffectiveIDStr ,b.IsConditionApproval ,b.OperField ,b.Condition ,b.OperValue ,b.CustomConditions ,b.ApprovalType ,b.ApprovalIDStr ,b.ApprovalByIDStr ,b.IsSync ,b.Creator ,b.DefaultFlow ,b.FixedNode ,b.Invalid ,b.Del ,b.IsAccept ,b.ApproversSelectedByDefault ,b.ExtraFunction ,b.IsOptionalApproval ,b.IsSpecialApproval ,b.IsVerticalDirection ,b.Description from FormApprovalRecords a left join WorkFlow b on a.WorkFlowID=b.WFID where a.Invalid=0 and a.Del=0 and a.FormID = @FormID and a.FormsID in (" + FormsIDs + ") order by a.FormsID,a.Sort ";
-                    SqlParameter[] _sp3 = { new SqlParameter("@FormID", SqlDbType.Int) };
+                    string _sql3 = "select a.*,b.WFID ,b.FlowName ,b.FlowCode ,b.Alias ,b.EffectiveType ,b.EffectiveIDStr ,b.IsConditionApproval ,b.OperField ,b.Condition ,b.OperValue ,b.CustomConditions ,b.ApprovalType ,b.ApprovalIDStr ,b.ApprovalByIDStr ,b.IsSync ,b.Creator ,b.DefaultFlow ,b.FixedNode ,b.Invalid ,b.Del ,b.IsAccept ,b.ApproversSelectedByDefault ,b.ExtraFunction ,b.IsOptionalApproval ,b.IsSpecialApproval ,b.IsVerticalDirection ,b.Description from FormApprovalRecords a left join WorkFlow b on a.WorkFlowID=b.WFID where a.Invalid=0 and a.Del=0 and a.FormID = @FormID and a.FormsID in (SELECT value FROM STRING_SPLIT(@FormsIDs, ',')) order by a.FormsID,a.Sort ";
+                    SqlParameter[] _sp3 = { new SqlParameter("@FormID", SqlDbType.Int), new SqlParameter("@FormsIDs", SqlDbType.VarChar) };
                     _sp3[0].Value = FormID.toInt();
+                    _sp3[1].Value = FormsIDs;
 
                     DataTable _dt3 = MsSQLDbHelper.Query(_sql3, _sp3).Tables[0];
 

diff --git a/Views/Forms/MicroFormList.aspx.cs b/Views/Forms/MicroFormList.aspx.cs
@@ -89,7 +89,7 @@ protected void Page_Load(object sender, EventArgs e)
         }
 
         DataTable _dtForms = MicroDataTable.GetDataTable("Forms");
-        string LinkAddress = _dtForms.Select("FormID=" + FormID.toInt())[0]["LinkAddress"].toStringTrim();
+        string LinkAddress = HttpUtility.HtmlEncode(_dtForms.Select("FormID=" + FormID.toInt())[0]["LinkAddress"].toStringTrim());
         if (!string.IsNullOrEmpty(LinkAddress))
             txtLinkAddress.Value = LinkAddress;
 

diff --git a/Views/Forms/SysFormList.aspx.cs b/Views/Forms/SysFormList.aspx.cs
@@ -25,7 +25,7 @@ protected void Page_Load(object sender, EventArgs e)
         var GetTableAttr = MicroDTHelper.MicroDataTable.GetTableAttr(MicroPublic.GetTableName(ShortTableName));
         txtPrimaryKeyName.Value = "data." + GetTableAttr.PrimaryKeyName;
 
-        divScript.InnerHtml = MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID);  //例FormAppType
+        divScript.InnerHtml = HttpUtility.HtmlEncode(MicroForm.GetLayCheckBoxTpl(ShortTableName, ModuleID));  //例FormAppType
 
         MicroAuth.CheckBrowse(ModuleID);