1.12.11 #243
1.12.11 #243
Conversation
flow自动添加菜单 地址不正确 访问404
…User::getName, "e").isNul(EruptUser::getWhiteIp).addCondition("whiteIp is null").list()
…lendar.DAY_OF_MONTH + account) → md5(md5(pwd) + account) 移除通过当前天作为加密依据
Fix mongodb
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -23,69 +23,61 @@ | |||
| if (StringUtils.isNotBlank(value)) { | |||
| // 避免script 标签 | |||
| Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); | |||
| if (scriptPattern.matcher(value).matches()) { | |||
| if (scriptPattern.matcher(value).find()) { | |||
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| return true; | ||
| } | ||
| // 删除单个的<script ...> 标签 | ||
| scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | ||
| if (scriptPattern.matcher(value).matches()) { | ||
| if (scriptPattern.matcher(value).find()) { |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| return true; | ||
| } | ||
| // 避免 eval(...) 形式表达式 | ||
| scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | ||
| if (scriptPattern.matcher(value).matches()) { | ||
| if (scriptPattern.matcher(value).find()) { |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| if (scriptPattern.matcher(value).matches()) { | ||
| // 避免 expression(...) 表达式 | ||
| scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | ||
| if (scriptPattern.matcher(value).find()) { |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| return true; | ||
| } | ||
| // 避免 onload= 表达式 | ||
| scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | ||
| if (scriptPattern.matcher(value).matches()) { | ||
| if (scriptPattern.matcher(value).find()) { |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| return true; | ||
| } | ||
| // 避免 onmouseover= 表达式 | ||
| scriptPattern = Pattern.compile("onmouseover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | ||
| if (scriptPattern.matcher(value).matches()) { | ||
| if (scriptPattern.matcher(value).find()) { |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| return true; | ||
| } | ||
| // 避免 onfocus= 表达式 | ||
| scriptPattern = Pattern.compile("onfocus(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | ||
| if (scriptPattern.matcher(value).matches()) { | ||
| if (scriptPattern.matcher(value).find()) { |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
🐞 修复 mongodb 场景在字段上添加注解不生效的 bug (感谢iszhangsc 的贡献#231)
🐞 Erupt-BI 解决存在必填项时自定义模板404的 bug
🧩 Erupt-BI 兼容 JDK17
🧩 筛选场景下支持清除 choice 组件已输入值
🌟 无障碍能力支持灰色模式
🌟 Erupt-BI 查询维度支持参照表格组件,表格内部支持虚拟滚动,列筛选,列排序等能力
🌟 自定义按钮增加调用时提示文本配置能力(callHint�),为空则表示不提示
🌟 增加 Linq.J 依赖,基于内存的对象查询语言,用于内存级对象查询与 Lambda 映射
🌟 userinfo 接口增加返回组织编码、岗位编码、角色编码
🌟 将 erupt-magic-api 资源重载配置能力配置到菜单权限中
手动删除erupt-magic-api.loaded文件按钮重载权限会自动添加到菜单中
🌟 ViewType增加SAFE_TEXT类型,文本中带有脚本或标签信息不会被前端渲染
🌟 提高渲染性能,所有树组件都增加虚拟滚动能力,如果节点条数大于 50 则会开启
🌟 自定义按钮支持代码弹出能力,配置语言与内容即可
🌟 EruptDao支持 LambdaQuery 语法查询能力
🌟 破坏性更新:因在跨国工作等场景很容易出现本地时间和服务器事件不一致的情况导致无法登录,所以调整登录时密码加密规则 https://www.yuque.com/erupts/erupt/vr4md2#jgeb,自定义登录规则的用户需要对此进行调整