提交 7d9b05f5 编写于 作者: J Jinqn

修复xss漏洞

上级 17cee0b3
......@@ -16,6 +16,6 @@ UE.I18N = {};
UE._customizeUI = {};
UE.version = "1.4.2";
UE.version = "1.4.3";
var dom = UE.dom = {};
\ No newline at end of file
......@@ -47,10 +47,10 @@ UE.plugins['fiximgclick'] = (function () {
});
for (i = 0; i < 8; i++) {
hands.push('<span class="edui-editor-scale-hand' + i + '"></span>');
hands.push('<span class="edui-editor-imagescale-hand' + i + '"></span>');
}
resizer.id = me.editor.ui.id + '_imagescale';
resizer.className = 'edui-editor-scale';
resizer.className = 'edui-editor-imagescale';
resizer.innerHTML = hands.join('');
resizer.style.cssText += ';display:none;border:1px solid #3b77ff;z-index:' + (me.editor.options.zIndex) + ';';
......@@ -61,16 +61,16 @@ UE.plugins['fiximgclick'] = (function () {
me.initEvents();
},
initStyle: function () {
utils.cssRule('imagescale', '.edui-editor-scale{display:none;position:absolute;border:1px solid #38B2CE;cursor:hand;-webkit-box-sizing: content-box;-moz-box-sizing: content-box;box-sizing: content-box;}' +
'.edui-editor-scale span{position:absolute;width:6px;height:6px;overflow:hidden;font-size:0px;display:block;background-color:#3C9DD0;}'
+ '.edui-editor-scale .edui-editor-scale-hand0{cursor:nw-resize;top:0;margin-top:-4px;left:0;margin-left:-4px;}'
+ '.edui-editor-scale .edui-editor-scale-hand1{cursor:n-resize;top:0;margin-top:-4px;left:50%;margin-left:-4px;}'
+ '.edui-editor-scale .edui-editor-scale-hand2{cursor:ne-resize;top:0;margin-top:-4px;left:100%;margin-left:-3px;}'
+ '.edui-editor-scale .edui-editor-scale-hand3{cursor:w-resize;top:50%;margin-top:-4px;left:0;margin-left:-4px;}'
+ '.edui-editor-scale .edui-editor-scale-hand4{cursor:e-resize;top:50%;margin-top:-4px;left:100%;margin-left:-3px;}'
+ '.edui-editor-scale .edui-editor-scale-hand5{cursor:sw-resize;top:100%;margin-top:-3px;left:0;margin-left:-4px;}'
+ '.edui-editor-scale .edui-editor-scale-hand6{cursor:s-resize;top:100%;margin-top:-3px;left:50%;margin-left:-4px;}'
+ '.edui-editor-scale .edui-editor-scale-hand7{cursor:se-resize;top:100%;margin-top:-3px;left:100%;margin-left:-3px;}');
utils.cssRule('imagescale', '.edui-editor-imagescale{display:none;position:absolute;border:1px solid #38B2CE;cursor:hand;-webkit-box-sizing: content-box;-moz-box-sizing: content-box;box-sizing: content-box;}' +
'.edui-editor-imagescale span{position:absolute;width:6px;height:6px;overflow:hidden;font-size:0px;display:block;background-color:#3C9DD0;}'
+ '.edui-editor-imagescale .edui-editor-imagescale-hand0{cursor:nw-resize;top:0;margin-top:-4px;left:0;margin-left:-4px;}'
+ '.edui-editor-imagescale .edui-editor-imagescale-hand1{cursor:n-resize;top:0;margin-top:-4px;left:50%;margin-left:-4px;}'
+ '.edui-editor-imagescale .edui-editor-imagescale-hand2{cursor:ne-resize;top:0;margin-top:-4px;left:100%;margin-left:-3px;}'
+ '.edui-editor-imagescale .edui-editor-imagescale-hand3{cursor:w-resize;top:50%;margin-top:-4px;left:0;margin-left:-4px;}'
+ '.edui-editor-imagescale .edui-editor-imagescale-hand4{cursor:e-resize;top:50%;margin-top:-4px;left:100%;margin-left:-3px;}'
+ '.edui-editor-imagescale .edui-editor-imagescale-hand5{cursor:sw-resize;top:100%;margin-top:-3px;left:0;margin-left:-4px;}'
+ '.edui-editor-imagescale .edui-editor-imagescale-hand6{cursor:s-resize;top:100%;margin-top:-3px;left:50%;margin-left:-4px;}'
+ '.edui-editor-imagescale .edui-editor-imagescale-hand7{cursor:se-resize;top:100%;margin-top:-3px;left:100%;margin-left:-3px;}');
},
initEvents: function () {
var me = this;
......@@ -83,7 +83,7 @@ UE.plugins['fiximgclick'] = (function () {
switch (e.type) {
case 'mousedown':
var hand = e.target || e.srcElement, hand;
if (hand.className.indexOf('edui-editor-scale-hand') != -1 && me.dragId == -1) {
if (hand.className.indexOf('edui-editor-imagescale-hand') != -1 && me.dragId == -1) {
me.dragId = hand.className.slice(-1);
me.startPos.x = me.prePos.x = e.clientX;
me.startPos.y = me.prePos.y = e.clientY;
......@@ -256,7 +256,7 @@ UE.plugins['fiximgclick'] = (function () {
if(imageScale.target) me.selection.getRange().selectNode(imageScale.target).select();
}, _mouseDownHandler = function (e) {
var ele = e.target || e.srcElement;
if (ele && (ele.className===undefined || ele.className.indexOf('edui-editor-scale') == -1)) {
if (ele && (ele.className===undefined || ele.className.indexOf('edui-editor-imagescale') == -1)) {
_keyDownHandler(e);
}
}, timer;
......@@ -282,7 +282,7 @@ UE.plugins['fiximgclick'] = (function () {
domUtils.on(imageScale.resizer, 'mousedown', function (e) {
me.selection.getNative().removeAllRanges();
var ele = e.target || e.srcElement;
if (ele && ele.className.indexOf('edui-editor-scale-hand') == -1) {
if (ele && ele.className.indexOf('edui-editor-imagescale-hand') == -1) {
timer = setTimeout(function () {
imageScale.hide();
if(imageScale.target) me.selection.getRange().selectNode(ele).select();
......@@ -291,7 +291,7 @@ UE.plugins['fiximgclick'] = (function () {
});
domUtils.on(imageScale.resizer, 'mouseup', function (e) {
var ele = e.target || e.srcElement;
if (ele && ele.className.indexOf('edui-editor-scale-hand') == -1) {
if (ele && ele.className.indexOf('edui-editor-imagescale-hand') == -1) {
clearTimeout(timer);
}
});
......
#UEditor Change List
##1.4.3
### bug修复&优化
1. 修复jsonp提交的xss漏洞
2. 修复java版本在某些服务器部署环境下找不到配置文件正确位置的bug
3. 修复ZeroClipboard的flash地址参数名称错误
4. 修复getActionUrl的bug
5. 整理代码中的参数到ueditor.config.js里
6. 修复图片拉伸工具和编辑拉伸长高器的样式冲突
##1.4.2
###重构前后端交互功能
1. 前端上传模块统一改用webuploader
2. 整体重构了文件上传的配置方式,改为统一在后端配置,前后端自动打通,[详细文档]()
3. 统一各上传模块的提交地址,各模块通过action参数区分类型,[详细文档]()
4. 提供serverparam命令,可在提交时追加任意参数,[详细文档]()
2. 整体重构了文件上传的配置方式,改为统一在后端配置,前后端自动打通,[详细文档](http://fex.baidu.com/ueditor/#server-server_config)
3. 统一各上传模块的提交地址,各模块通过action参数区分类型,[详细文档](http://fex.baidu.com/ueditor/#server-request_specification)
4. 提供serverparam命令,可在提交时追加任意参数,[详细文档](http://fex.baidu.com/ueditor/#server-server_param)
5. 统一了前端各上传模块的布局样式
6. 支持了在线附件预览和插入
7. 统一了后端返回数据格式,[详细文档]()
7. 统一了后端返回数据格式,[详细文档](http://fex.baidu.com/ueditor/#server-request_specification)
8. 各在线预览列表模块支持分组加载
9. 增加点击直接选择文件上传图片插件
10. 优化了粘贴图片的功能,上传时有loading和出错的提示
......
......@@ -2,7 +2,7 @@
"name": "ueditor",
"title": "ueditor",
"description": "UEditor富文本web编辑器",
"version": "1.4.2",
"version": "1.4.3",
"homepage": "http://ueditor.baidu.com/",
"author": {
"name": "f-cube @ FEX",
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册