订单支付参数处理避免XSS注入

2024-12-01 03:18:33 +08:00 · 2021-08-07 20:07:01 +08:00 · 2021-08-07 20:07:01 +08:00 · 40ddae0d41
commit 40ddae0d41
parent bf6edd084f
3 changed files with 45 additions and 3 deletions
--- a/app/index/controller/Order.php
+++ b/app/index/controller/Order.php
@ -76,6 +76,9 @@ class Order extends Common
        ];
        $ret = OrderService::OrderList($data_params);

+        // 支付参数
+        $pay_params = OrderService::PayParamsHandle($this->data_request);
+
        // 发起支付 - 支付方式
        MyViewAssign('buy_payment_list', PaymentService::BuyPaymentList(['is_enable'=>1, 'is_open_user'=>1]));

@ -86,9 +89,10 @@ class Order extends Common
        MyViewAssign('home_seo_site_title', SeoService::BrowserSeoTitle('我的订单', 1));

        // 基础参数赋值
-        MyViewAssign('params', $this->data_request);
        MyViewAssign('page_html', $page->GetPageHtml());
        MyViewAssign('data_list', $ret['data']);
+        MyViewAssign('pay_params', $pay_params);
+        MyViewAssign('params', $this->data_request);
        return MyView();
    }

@ -112,6 +116,9 @@ class Order extends Common
            $site_fictitious = ConfigService::SiteFictitiousConfig();
            MyViewAssign('site_fictitious', $site_fictitious['data']);

+            // 支付参数
+            $pay_params = OrderService::PayParamsHandle($this->data_request);
+
            // 加载百度地图api
            MyViewAssign('is_load_baidu_map_api', 1);

@ -120,6 +127,7 @@ class Order extends Common

            // 数据赋值
            MyViewAssign('data', $data);
+            MyViewAssign('pay_params', $pay_params);
            MyViewAssign('params', $this->data_request);
            return MyView();
        }
--- a/app/index/view/default/order/payment_popup.html
+++ b/app/index/view/default/order/payment_popup.html
@ -27,8 +27,8 @@
                    {{/if}}
                </div>
                <div class="am-form-group am-form-group-refreshing">
-                    <input type="hidden" name="ids" value="{{if !empty($params['ids'])}}{{:urldecode($params.ids)}}{{/if}}" />
-                    <input type="hidden" name="payment_id" value="{{if !empty($params['payment_id'])}}{{$params.payment_id}}{{/if}}" />
+                    <input type="hidden" name="ids" value="{{if !empty($pay_params['order_ids'])}}{{$pay_params.order_ids}}{{/if}}" />
+                    <input type="hidden" name="payment_id" value="{{if !empty($pay_params['payment_id'])}}{{$pay_params.payment_id}}{{/if}}" />
                    <button type="submit" class="am-btn am-btn-primary am-radius btn-loading-example am-btn-sm am-btn-block" data-am-loading="{loadingText:'处理中...'}">确认支付</button>
                </div>
            </form>
--- a/app/service/OrderService.php
+++ b/app/service/OrderService.php
@ -2209,5 +2209,39 @@ class OrderService
        return DataReturn('支付中', -300);
    }

+    /**
+     * 订单支付参数处理
+     * @author  Devil
+     * @blog    http://gong.gg/
+     * @version 1.0.0
+     * @date    2021-08-07
+     * @desc    description
+     * @param   [array]           $params [输入参数]
+     */
+    public static function PayParamsHandle($params = [])
+    {
+        // 支付方式
+        $payment_id = empty($params['payment_id']) ? '' : intval($params['payment_id']);
+
+        // 支付订单id、多个订单id以英文逗号分割[ , ]
+        // 严格处理参数，避免非法数据
+        $order_ids = '';
+        if(!empty($params['ids']))
+        {
+            $ids = array_filter(array_map(function($v)
+            {
+                return intval($v);
+            }, explode(',', urldecode($params['ids']))));
+            if(!empty($ids))
+            {
+                $order_ids = implode(',', $ids);
+            }
+        }
+
+        return [
+            'payment_id'    => $payment_id,
+            'order_ids'     => $order_ids,
+        ];
+    }
 }
 ?>