Fix vulnerable.

2022-10-24 16:26:33 +08:00 · 2022-10-24 16:26:33 +08:00 · 162b254f40
parent 910a8278d3
commit 162b254f40
6 changed files with 10017 additions and 2662 deletions
--- a/app/assets/javascripts/event_news/wpex.js
+++ b/app/assets/javascripts/event_news/wpex.js
--- a/app/assets/javascripts/event_news/wpex.min.js
+++ b/app/assets/javascripts/event_news/wpex.min.js
--- a/app/assets/javascripts/event_news_calendar_widget2.js
+++ b/app/assets/javascripts/event_news_calendar_widget2.js
@ -165,7 +165,7 @@
                 '</div>')
            tp = $('<div class="event-container-one has-dialog"><div class="title_temp"></div><div class="duration_temp"></div><div class="event-content"></div>'+modal_tp+'</div>')
          }else{
-            tp = $('<a class="event-container-one"><div class="title_temp"></div><div class="duration_temp"></div><div class="event-content"></div></a>').attr('href',v.url_linked)
+            tp = $('<a class="event-container-one"><div class="title_temp"></div><div class="duration_temp"></div><div class="event-content"></div></a>')
          }
          var sd = formate_datetime(v.start),
              ed = formate_datetime(v.end),
@ -189,6 +189,9 @@
            event_temp.find('.event-header .duration').html(duration)
          }
          event_temp.find('.event-containers').append(tp)
          if(v.url_linked != ''){
            tp.attr('href',v.url_linked)
          }
        })
        if (active_flag){
          event_temp.addClass('active')
--- a/app/controllers/event_news_feeds_controller.rb
+++ b/app/controllers/event_news_feeds_controller.rb
@ -2,13 +2,13 @@ require "rss"
 class EventNewsFeedsController < ApplicationController
 	include Admin::EventNewsHelper
 	def feed
-		uid = params[:uid]
+		uid = params[:uid].to_s
 		anns = get_event_news(uid)
 		render :json => anns.to_json
 	end
 	def rssfeed
-		uid = params[:uid]
+		uid = params[:uid].to_s
 		@bf = EventNewsFeed.find_by(:uid => uid) rescue nil
 		if !@bf.nil?
 			tags = @bf.tag_ids
--- a/app/controllers/event_news_mods_controller.rb
+++ b/app/controllers/event_news_mods_controller.rb
@ -475,7 +475,7 @@ class EventNewsModsController < ApplicationController
    end
    if event_news_cache.count == 0 || is_random
      EventNews.remove_expired_status
-      uid = OrbitHelper.params[:uid] rescue ""
+      uid = OrbitHelper.params[:uid].to_s rescue ""
      event_news_for_locale = EventNews.where(:title.nin => ["",nil], :uid.ne => uid).is_approved_and_show.filter_cats_and_tags(cats,tags)
      if @show_today_data_first
        sorted_event_news = event_news_for_locale.can_display_and_sorted_according_today
@ -767,7 +767,7 @@ class EventNewsModsController < ApplicationController
  def show
    params = OrbitHelper.params
-    uid = params[:uid]
+    uid = params[:uid].to_s
    if OrbitHelper.is_object_from_feed?(uid)
      show_feed_event_news(uid)
    else
--- a/app/helpers/event_news_helper.rb
+++ b/app/helpers/event_news_helper.rb
@ -330,7 +330,7 @@ module EventNewsHelper
    if @target_action == "index"
-      filename = overridehtml.nil? ? params[:layout_type] : overridehtml
+      filename = overridehtml.nil? ? params[:layout_type].to_s.split('/').last : overridehtml
      f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', 'event_news_mod', "#{filename}.html.erb")
      if !File.exists?f
        f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', 'event_news_mod', "index.html.erb")