漏洞修改

2025-08-31 18:58:52 +08:00 · 2025-08-31 18:58:52 +08:00 · f8b88ea99d
parent 5eb17ccce9
commit f8b88ea99d
2 changed files with 16 additions and 6 deletions
--- a/index.html
+++ b/index.html
@ -156,13 +156,25 @@
            }, function (result) {
                console.log(result);
                if (result.code === 200) {
-                    var url = window.location.href;                    //获取当前页面的url
-                    if (url.indexOf("?") != -1) {                        //判断是否存在参数
-                        url = url.replace(/(\?|#)[^'"]*/, '');           //去除参数
-                        window.history.pushState({}, 0, url);
+                    // 使用 URL API 解析
+                    var currentUrl = new URL(window.location.href);
+
+                    // 协议检查，拒绝 javascript: 等危险协议
+                    if (currentUrl.protocol !== "http:" && currentUrl.protocol !== "https:") {
+                        console.warn("非法协议，拒绝处理: " + currentUrl.protocol);
+                        return;
                    }
+
+                    // 如果有 query 参数或者 hash，就清理掉
+                    if (currentUrl.search || currentUrl.hash) {
+                        var cleanUrl = currentUrl.origin + currentUrl.pathname;
+                        window.history.pushState({}, "", cleanUrl);
+                    }
+
+                    // 初始化页面
                    initPage(miniAdmin);
                } else if (result.code === 401) {
+                    // 登录过期或无权限
                    closeWindowOpen();
                }
            }, function (xhr, status, error) {
--- a/lib/jquery-3.4.1/jquery-3.4.1.min.js
+++ b/lib/jquery-3.4.1/jquery-3.4.1.min.js