diff --git a/CoreCms.Net.Utility/Helper/CommonHelper.cs b/CoreCms.Net.Utility/Helper/CommonHelper.cs
index 3d16271..6415dc0 100644
--- a/CoreCms.Net.Utility/Helper/CommonHelper.cs
+++ b/CoreCms.Net.Utility/Helper/CommonHelper.cs
@@ -664,5 +664,19 @@ namespace CoreCms.Net.Utility.Helper
return t;
}
+ #region 检测提交的内容是否包含非法信息
+
+ ///
+ /// 检测提交的内容是否包含非法信息。
+ ///
+ ///
+ ///
+ public static bool CheckData(string inputData)
+ {
+ var strRegex = @"<[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
+ return Regex.IsMatch(inputData, strRegex);
+ }
+ #endregion
+
}
}
diff --git a/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs b/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs
index 7c65aab..6fd0876 100644
--- a/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs
+++ b/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs
@@ -13,6 +13,7 @@ using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Linq;
+using System.Text;
using System.Threading.Tasks;
using Aliyun.OSS;
using Aliyun.OSS.Util;
@@ -291,6 +292,18 @@ namespace CoreCms.Net.Web.WebApi.Controllers
return jm;
}
+ // 使用StreamReader来读取文件内容
+ using (var reader = new StreamReader(file.OpenReadStream(), Encoding.UTF8))
+ {
+ var content = await reader.ReadToEndAsync(); // 注意:这可能会消耗大量内存对于大文件,所以需要限制上传大小
+ // 检查内容是否合法
+ if (CommonHelper.CheckData(content))
+ {
+ jm.msg = "请勿提交非法数据。";
+ return jm;
+ }
+ }
+
string url = string.Empty;
if (filesStorageOptions.StorageType == GlobalEnumVars.FilesStorageOptionsType.LocalStorage.ToString())
{