npm - @ganwei-web/ganwei-pc-cli - Versions diffs - 6.2.9 → 6.3.2 - Mend

@ganwei-web/ganwei-pc-cli 6.2.9 → 6.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/ganwei-iotcenter-index-6.2.3/packages/ganwei-iotcenter-index/src/utils/xss-filter.ts ADDED Viewed

@@ -0,0 +1,260 @@
+/**
+ * XSS 过滤工具
+ * 用于过滤和清理用户输入，防止 XSS 攻击
+ */
+/**
+ * HTML 实体编码映射
+ */
+const HTML_ENTITIES: Record<string, string> = {
+  '&': '&amp;',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#x27;',
+  '/': '&#x2F;',
+  '`': '&#x60;',
+  '=': '&#x3D;'
+}
+/**
+ * 危险 HTML 标签正则
+ */
+const DANGEROUS_TAGS_REGEX =
+  /<(script|iframe|object|embed|form|input|button|textarea|select|style|link|meta|base)[^>]*>.*?<\/\1>|<(script|iframe|object|embed|form|input|button|textarea|select|style|link|meta|base)[^>]*\/?>/gi
+/**
+ * 危险属性正则
+ */
+const DANGEROUS_ATTRS_REGEX = /\s(on\w+|href|src|action|formaction|data|dynsrc|lowsrc)\s*=\s*(['"]?)[^'">\s]*\2/gi
+/**
+ * javascript: 协议正则
+ */
+const JAVASCRIPT_PROTOCOL_REGEX = /javascript\s*:/gi
+/**
+ * 转义 HTML 特殊字符
+ * @param str - 要转义的字符串
+ * @returns 转义后的字符串
+ * @example
+ * escapeHtml('<script>alert("xss")</script>')
+ * // '&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;'
+ */
+export function escapeHtml(str: string): string {
+  if (!str) return ''
+  return str.replace(/[&<>"'`=/]/g, char => HTML_ENTITIES[char])
+}
+/**
+ * 反转义 HTML 特殊字符
+ * @param str - 要反转义的字符串
+ * @returns 反转义后的字符串
+ */
+export function unescapeHtml(str: string): string {
+  if (!str) return ''
+  const entities: Record<string, string> = {
+    '&amp;': '&',
+    '&lt;': '<',
+    '&gt;': '>',
+    '&quot;': '"',
+    '&#x27;': "'",
+    '&#x2F;': '/',
+    '&#x60;': '`',
+    '&#x3D;': '='
+  }
+  return str.replace(/&(amp|lt|gt|quot|#x27|#x2F|#x60|#x3D);/g, entity => entities[entity] || entity)
+}
+/**
+ * 移除危险 HTML 标签
+ * @param html - HTML 字符串
+ * @returns 清理后的 HTML
+ * @example
+ * stripDangerousTags('<script>alert(1)</script><p>安全</p>')
+ * // '<p>安全</p>'
+ */
+export function stripDangerousTags(html: string): string {
+  if (!html) return ''
+  return html.replace(DANGEROUS_TAGS_REGEX, '')
+}
+/**
+ * 移除危险属性
+ * @param html - HTML 字符串
+ * @returns 清理后的 HTML
+ * @example
+ * stripDangerousAttrs('<div onclick="alert(1)">内容</div>')
+ * // '<div>内容</div>'
+ */
+export function stripDangerousAttrs(html: string): string {
+  if (!html) return ''
+  return html.replace(DANGEROUS_ATTRS_REGEX, '')
+}
+/**
+ * 移除 javascript: 协议
+ * @param str - 字符串
+ * @returns 清理后的字符串
+ */
+export function stripJavascriptProtocol(str: string): string {
+  if (!str) return ''
+  return str.replace(JAVASCRIPT_PROTOCOL_REGEX, '')
+}
+/**
+ * XSS 过滤（完整版）
+ * @param input - 用户输入
+ * @param options - 过滤选项
+ * @returns 过滤后的安全字符串
+ */
+export interface XssFilterOptions {
+  /** 是否转义 HTML，默认 true */
+  escapeHtml?: boolean
+  /** 是否移除危险标签，默认 true */
+  stripDangerousTags?: boolean
+  /** 是否移除危险属性，默认 true */
+  stripDangerousAttrs?: boolean
+  /** 是否移除 javascript 协议，默认 true */
+  stripJavascriptProtocol?: boolean
+}
+export function xssFilter(input: string, options: XssFilterOptions = {}): string {
+  if (!input) return ''
+  const {
+    escapeHtml: shouldEscape = true,
+    stripDangerousTags: shouldStripTags = true,
+    stripDangerousAttrs: shouldStripAttrs = true,
+    stripJavascriptProtocol: shouldStripJsProtocol = true
+  } = options
+  let result = input
+  // 移除危险标签
+  if (shouldStripTags) {
+    result = stripDangerousTags(result)
+  }
+  // 移除危险属性
+  if (shouldStripAttrs) {
+    result = stripDangerousAttrs(result)
+  }
+  // 移除 javascript 协议
+  if (shouldStripJsProtocol) {
+    result = stripJavascriptProtocol(result)
+  }
+  // 转义 HTML
+  if (shouldEscape) {
+    result = escapeHtml(result)
+  }
+  return result
+}
+/**
+ * 过滤 URL，只允许安全协议
+ * @param url - URL 字符串
+ * @param allowedProtocols - 允许的协议列表
+ * @returns 安全的 URL 或空字符串
+ * @example
+ * filterUrl('javascript:alert(1)') // ''
+ * filterUrl('https://example.com') // 'https://example.com'
+ */
+export function filterUrl(
+  url: string,
+  allowedProtocols: string[] = ['http', 'https', 'mailto', 'tel', 'ftp']
+): string {
+  if (!url) return ''
+  // 移除空白字符
+  const trimmedUrl = url.trim()
+  // 检查是否为相对路径或锚点
+  if (trimmedUrl.startsWith('/') || trimmedUrl.startsWith('#') || trimmedUrl.startsWith('?')) {
+    return trimmedUrl
+  }
+  // 提取协议
+  const protocolMatch = trimmedUrl.match(/^([a-zA-Z][a-zA-Z0-9+.-]*):/)
+  if (!protocolMatch) {
+    return trimmedUrl // 无协议，视为相对路径
+  }
+  const protocol = protocolMatch[1].toLowerCase()
+  // 检查协议是否在允许列表中
+  if (allowedProtocols.includes(protocol)) {
+    return trimmedUrl
+  }
+  return ''
+}
+/**
+ * 过滤对象中的 XSS
+ * @param obj - 要过滤的对象
+ * @param options - 过滤选项
+ * @returns 过滤后的对象
+ */
+export function filterObject<T extends Record<string, any>>(
+  obj: T,
+  options: XssFilterOptions = {}
+): T {
+  if (!obj || typeof obj !== 'object') return obj
+  const result: Record<string, any> = {}
+  for (const [key, value] of Object.entries(obj)) {
+    if (typeof value === 'string') {
+      result[key] = xssFilter(value, options)
+    } else if (typeof value === 'object' && value !== null) {
+      result[key] = filterObject(value, options)
+    } else {
+      result[key] = value
+    }
+  }
+  return result as T
+}
+/**
+ * 白名单标签过滤
+ * 只保留允许的 HTML 标签
+ * @param html - HTML 字符串
+ * @param allowedTags - 允许的标签列表
+ * @returns 过滤后的 HTML
+ * @example
+ * filterHtmlTags('<p><script>alert(1)</script>内容</p>', ['p'])
+ * // '<p>内容</p>'
+ */
+export function filterHtmlTags(html: string, allowedTags: string[] = []): string {
+  if (!html) return ''
+  if (allowedTags.length === 0) return escapeHtml(html)
+  // 构建白名单正则
+  const allowedTagsPattern = allowedTags.join('|')
+  const openTagRegex = new RegExp(`<(${allowedTagsPattern})([^>]*)>`, 'gi')
+  const closeTagRegex = new RegExp(`</(${allowedTagsPattern})>`, 'gi')
+  // 先转义所有 HTML
+  let result = escapeHtml(html)
+  // 恢复允许的标签
+  result = result.replace(
+    new RegExp(`&lt;(${allowedTagsPattern})([^&]*)&gt;`, 'gi'),
+    (_, tag, attrs) => `<${tag}${unescapeHtml(attrs)}>`
+  )
+  result = result.replace(
+    new RegExp(`&lt;/(${allowedTagsPattern})&gt;`, 'gi'),
+    (_, tag) => `</${tag}>`
+  )
+  return result
+}

package/ganwei-iotcenter-index-6.2.3/packages/ganwei-iotcenter-index/src/views/jumpIframe/index.vue CHANGED Viewed

@@ -2,8 +2,8 @@
     <div class="jumpPage">
         <loading v-show="loading"></loading>
         <!-- 菜单至少不为空时，才开始加载页面，避免单点登录时，菜单为空，导致页面异常 -->
-        <iframe v-if="name != 'noPage' && isHasPage" :id="name" :src="path" width="100%" height="100%"
-            allowfullscreen></iframe>
+        <iframe v-if="name != 'noPage' && isHasPage" :id="name" :src="path" width="100%" height="100%" allowfullscreen
+            allow="microphone"></iframe>
         <noPage v-if="name == 'noPage'"></noPage>
     </div>
 </template>
@@ -101,6 +101,8 @@ export default {
                 menuName,
                 languageType: localStorage.languageType,
                 userName: sessionStorage.userName,
+                aesUserName: sessionStorage.aesUserName,
+                // photograph: sessionStorage.photograph,
                 auth: this.auth,
                 customName: this.customName,
                 // 会自动 encodeURIComponent,所以需要先decodeURIComponent
@@ -158,37 +160,52 @@ export default {
             }
         },
+        // checkFrameLoad 方法重写
         checkFrameLoad(packageName, packageId, menuName) {
             let iframe = document.getElementById(this.name)
-            if (iframe) {
-                iframe.onload = () => {
-                    try {
-                        iframe.contentWindow.document.documentElement.setAttribute('data-theme', sessionStorage.theme)
-                    } catch (error) {
-                        console.log(error)
-                    }
-                    try {
-                        iframe.contentWindow.postMessage({
-                            theme: sessionStorage.theme,
-                            languagePackage: sessionStorage.languagePackage,
-                            packageId: packageId,
-                            packageName: packageName,
-                            menuName: menuName
-                        }, "*")
-                    } catch (error) {
-                        console.log(error)
-                    }
-                    this.loading = false;
-                    this.checkPageLoad()
+            if (!iframe) {
+                this.isNoPage()
+                return
+            }
+            // 用于防止重复发送
+            let hasSent = false
+            // 发送消息的统一方法
+            const sendPostMessage = () => {
+                if (hasSent) return
+                hasSent = true
+                try {
+                    iframe.contentWindow.document.documentElement.setAttribute('data-theme', sessionStorage.theme)
+                } catch (error) {
+                    console.log(error)
                 }
-                // 防止onload不执行，兜底
-                setTimeout(() => {
-                    this.loading = false;
-                }, LOADING_TIME);
-            } else {
-                this.isNoPage()
+                try {
+                    iframe.contentWindow.postMessage({
+                        theme: sessionStorage.theme,
+                        languagePackage: sessionStorage.languagePackage,
+                        packageId: packageId,
+                        packageName: packageName,
+                        menuName: menuName,
+                        photograph: sessionStorage.photograph  // 完整参数
+                    }, "*")
+                } catch (error) {
+                    console.log(error)
+                }
+                this.loading = false
+                this.checkPageLoad()
             }
+            // 绑定 onload
+            iframe.onload = sendPostMessage
+            // 兜底定时器（确保完整参数）
+            setTimeout(() => {
+                sendPostMessage()
+            }, LOADING_TIME)
         },
         checkPageLoad() {

package/ganwei-iotcenter-index-6.2.3/packages/ganwei-iotcenter-index/tsconfig.json CHANGED Viewed

@@ -43,6 +43,7 @@
         }
     },
     "include": [
+        "env.d.ts",
         "src/**/*.ts",
         "src/**/*.d.ts",
         "src/**/*.tsx",

package/ganwei-iotcenter-index-6.2.3/packages/ganwei-iotcenter-index/vite.config.ts CHANGED Viewed

@@ -12,7 +12,7 @@ import { createHtmlPlugin } from 'vite-plugin-html'
 import viteAddInfoHtml from './build/vite-addInfo-html'
 import { name } from "./package.json"
 import stats from "./build/vite-plugin-stats-html"
-import getEntryPath from "./build/enteryJson.js";
+import getEntryPath from "./build/entryJson.js";
 const htmlParams = {
     minify: false, // 开发环境不压缩
     pages: getEntryPath
@@ -118,6 +118,15 @@ export default ({ mode }) => {
             https: false, // 启用 TLS + HTTP/2
             open: false,
             proxy: {
+                '/file': {
+                    target: VITE_APP_TARGET_URL,
+                    changeOrigin: true,
+                    secure: false,
+                    rewrite: (path) => path.replace(/^\/file/, '/file'),
+                    headers: {
+                        Referer: VITE_APP_TARGET_URL
+                    }
+                },
                 '/api': {
                     target: VITE_APP_TARGET_URL,
                     changeOrigin: true,

package/ganwei-iotcenter-index-6.2.3/packages/ganwei-iotcenter-login/public/static/http/createAxios.js CHANGED Viewed

@@ -4,7 +4,6 @@
 function generateSign(params) {
     const { appId, timestamp, nonce, body } = params;
     const raw = appId + timestamp + nonce + body;
-    console.log(raw)
     return window.smEncrypt.sm3(raw);
 }
@@ -26,9 +25,8 @@ function urlEncode(val) {
     } else if (typeof val != 'string') {
         val = JSON.stringify(val)
     }
-    console.log(val)
     return encodeURIComponent(val).replace(/[!*'()]/g, c =>
-      '%' + c.charCodeAt(0).toString(16).toUpperCase()
+        '%' + c.charCodeAt(0).toString(16).toUpperCase()
     );
 }
@@ -58,6 +56,22 @@ const overTimeList = [
     { api: "/IoT/api/v3/GWAssembly/BatchInstallAppStorePlugin", timeout: 1800000 }
 ];
+const languageValue = {
+    'zh-CN': [
+        '登录超时，请重新登录',
+        '提示',
+        '确定',
+        '取消'
+    ],
+    'en-US': [
+        'Login Timeout, Please Login Again',
+        'Tips',
+        'Confirm',
+        'Cancel'
+    ]
+};
 /**
  * axios封装
  * 请求拦截、响应拦截、错误统一处理
@@ -103,14 +117,21 @@ const overTimeList = [
     }
     async function getLoginLanuage(pluginName, menuName, packageId, msg, duration) {
         await _this.requestLanguage(pluginName, menuName, packageId, '').then(res => {
-            if (!sessionStorage.languageType) { sessionStorage.languageType = localStorage.languageType }
-            if (currentAxiosBuilder.i18n && currentAxiosBuilder.i18n.global && currentAxiosBuilder.i18n.global.messages) {
-                currentAxiosBuilder.i18n.global.messages.value[sessionStorage.languageType][menuName] = res
+            const langType = sessionStorage.languageType || localStorage.languageType || 'zh-CN';
+            const i18nGlobal = currentAxiosBuilder.i18n?.global;
+            if (i18nGlobal && i18nGlobal.messages) {
+                if (!i18nGlobal.messages.value[langType]) {
+                    i18nGlobal.messages.value[langType] = {};
+                }
+                i18nGlobal.messages.value[langType][menuName] = res;
             }
         }).catch(err => {
             console.log(err)
         }).finally(o => {
-            messageTips(msg, duration)
+            if (msg && duration) {
+                messageTips(msg, duration)
+            }
         })
     }
     function messageTips(msg, duration) {
@@ -148,15 +169,18 @@ const overTimeList = [
                 } catch (error) {
                     console.log(error)
                 }
-                if (!languagePackage || !languagePackage[localStorage.languageType] || !languagePackage[localStorage.languageType].login) {
-                    await getLoginLanuage('ganwei-iotcenter-login', 'login', 'Ganweisoft.IoTCenter.Module.Login', msg, duration)
-                }
+                // TODO 如果此时有操作清空了浏览器缓存，正好服务断开，则会出现键值/重启服务直接访问登录后页面，此时会出现登录页面无法获取语言包，导致提示语不对，需要重新梳理语言包挂载
+                // if (!languagePackage || !languagePackage[localStorage.languageType] || !languagePackage[localStorage.languageType].login) {
+                // await getLoginLanuage('ganwei-iotcenter-login', 'login', 'Ganweisoft.IoTCenter.Module.Login', '', '')
+                // }
+                sessionStorage.setItem('isLgStatus', false)
+                let lType = sessionStorage.languageType || localStorage.languageType || 'zh-CN';
                 currentAxiosBuilder.elmessageBox && currentAxiosBuilder.elmessageBox.confirm(
-                    currentAxiosBuilder.i18n.global.t('login.noAccess.noAccess[7]'),
-                    currentAxiosBuilder.i18n.global.t('login.mainInfoDialog.tips.tip'),
+                    languageValue[lType][0],
+                    languageValue[lType][1],
                     {
-                        confirmButtonText: currentAxiosBuilder.i18n.global.t('login.publics.button.confirm'),
-                        cancelButtonText: currentAxiosBuilder.i18n.global.t('login.publics.button.cancel'),
+                        confirmButtonText: languageValue[lType][2],
+                        cancelButtonText: languageValue[lType][3],
                         type: 'warning',
                         showClose: false,
                         closeOnClickModal: false,
@@ -329,6 +353,7 @@ const overTimeList = [
         _this.i18n = this.i18n = i18n
         _this.notification = this.notification = notification
         _this.elmessageBox = this.elmessageBox = elmessageBox
         try {
             if (_this.top.AxiosBuilder.i18n) { this.i18n = _this.top.AxiosBuilder.i18n }
             if (_this.top.AxiosBuilder.notification) { this.notification = _this.top.AxiosBuilder.notification }
@@ -365,7 +390,6 @@ const overTimeList = [
             config => {
                 config.headers['Accept-Language'] = window.localStorage.languageType || 'zh-CN'
                 config.headers['Xsrf-Token'] = window.sessionStorage.CSRF_TOKEN || ''
                 if (config.method === 'post') {
                     const signParams = {
                         appId: sessionStorage.getItem("userName"),
@@ -425,6 +449,7 @@ const overTimeList = [
                 this.axios.defaults['overTimeList'] = _this.mergeApi(res.httpConfig.overTimeList || [], overTimeList)
             }
         })
+        _this.AxiosBuilder.axios = this.axios
         return this
     }
     _this['AxiosBuilder'].prototype.getInstance = function getInstance() {

package/ganwei-iotcenter-index-6.2.3/packages/ganwei-iotcenter-login/public/static/js/getLanguage.js CHANGED Viewed

@@ -131,8 +131,16 @@ window.updateLanguage = (pluginName, menuName,vm, i18n) => {
     // Vue3 基座
     if (vm && vm.i18nInstance) {
-        vm.i18nInstance.locale = langType;
-        vm.i18nInstance.mergeLocaleMessage(langType, JSON.parse(JSON.stringify(merged)));
+        // composition API 模式下，locale 和 mergeLocaleMessage 在 i18n.global 上
+        const i18nInstance = vm.i18nInstance.global || vm.i18nInstance;
+        if (i18nInstance.locale && typeof i18nInstance.locale === 'object' && 'value' in i18nInstance.locale) {
+            // composition API 模式
+            i18nInstance.locale.value = langType;
+        } else {
+            // legacy 模式
+            i18nInstance.locale = langType;
+        }
+        i18nInstance.mergeLocaleMessage(langType, JSON.parse(JSON.stringify(merged)));
     }
     // Vue2 基座
     else if (i18n && i18n._vm) {