save

src/plugin/admin/app/common/LayuiForm.php

@@ -211,7 +211,7 @@ EOF;
 // 字段 {$options['label']} $field
 layui.use(['upload', 'layer', 'jquery', 'popup', 'util'], function() {
     let input = layui.jquery('#$id').prev();
-    input.prev().html(input.val());
+    input.prev().html(layui.util.escape(input.val()));
     layui.upload.render({
         elem: '#$id',$options_string
         done: function (res) {
@@ -745,7 +745,7 @@ EOF;
 				})
 			});
 			let checked = d[field] === 1 ? 'checked' : '';
-			return '<input type="checkbox" value="'+d[PRIMARY_KEY]+'" lay-filter="'+field+'" lay-skin="switch" lay-text="$lay_text" '+checked+'/>';
+			return '<input type="checkbox" value="'+util.escape(d[PRIMARY_KEY])+'" lay-filter="'+util.escape(field)+'" lay-skin="switch" lay-text="'+util.escape('$lay_text')+'" '+checked+'/>';
 		}
 EOF;
                     break;
@@ -754,7 +754,7 @@ EOF;
                     $templet = <<<EOF
 
 		templet: function (d) {
-			return '<i class="layui-icon ' + d['$field'] + '"></i>';
+			return '<i class="layui-icon ' + util.escape(d['$field']) + '"></i>';
 		}
 EOF;
                     break;
@@ -762,7 +762,7 @@ EOF;
                     $templet = <<<EOF
 
 		templet: function (d) {
-			return '<a href="' + d['$field'] + '" target="_blank">' + d['$field'] + '</a>';
+			return '<a href="' + encodeURI(d['$field']) + '" target="_blank">' + util.escape(d['$field']) + '</a>';
 		}
 EOF;
                     break;
@@ -770,7 +770,7 @@ EOF;
                     $templet = <<<EOF
 
 		templet: function (d) {
-			return '<img src="'+d.avatar+'" style="max-width:32px;max-height:32px;" alt="" />';
+			return '<img src="'+encodeURI(d['$field'])+'" style="max-width:32px;max-height:32px;" alt="" />'
 		}
 EOF;
                     break;
@@ -802,7 +802,7 @@ EOF;
 			layui.each((d[field] + '').split(','), function (k , v) {
 				items.push(apiResults[field][v] || v);
 			});
-			return items.join(',');
+			return util.escape(items.join(','));
 		}
 EOF;
 

src/plugin/admin/app/controller/TableController.php

@@ -783,11 +783,12 @@ EOF
             const UPDATE_URL = "$url_path_base/$template_path/update";
             $js
             // 表格渲染
-            layui.use(['table', 'form', 'jquery', 'common', 'popup'], function() {
+            layui.use(['table', 'form', 'jquery', 'common', 'popup', 'util'], function() {
                 let table = layui.table;
                 let form = layui.form;
                 let $ = layui.jquery;
                 let common = layui.common;
+                let util = layui.util;
                 $table_js
                 // 编辑或删除行事件
                 table.on('tool(data-table)', function(obj) {
@@ -1050,7 +1051,7 @@ EOF;
                             }
                             if (typeof obj[0] === 'undefined' || !obj[0].nodeName) return;
                             if (obj[0].nodeName.toLowerCase() === 'textarea') {
-                                obj.html(layui.util.escape(value));
+                                obj.val(layui.util.escape(value));
                             } else {
                                 obj.attr('value', value);
                             }

src/plugin/admin/app/view/table/update.html

@@ -43,6 +43,7 @@
 
             layui.use(['form', 'jquery', 'util'], function () {
                 let $ = layui.jquery;
+                let util = layui.util;
                 $.ajax({
                     url: SELECT_API,
                     dataType: 'json',
@@ -55,7 +56,7 @@
                             }
                             if (typeof obj[0] === 'undefined' || !obj[0].nodeName) return;
                             if (obj[0].nodeName.toLowerCase() === 'textarea') {
-                                obj.html(layui.util.escape(value));
+                                obj.html(util.escape(value));
                             } else {
                                 obj.attr('value', value);
                             }

src/plugin/admin/app/view/table/view.html

@@ -56,8 +56,8 @@
 
         <script>
 
-            const TABLE_NAME = '<?=htmlspecialchars($table)?>';
+            const TABLE_NAME = "<?=htmlspecialchars($table)?>";
-            const PRIMARY_KEY = '<?=htmlspecialchars($primary_key)?>';
+            const PRIMARY_KEY = "<?=htmlspecialchars($primary_key)?>";
             const SELECT_API = "/app/admin/table/select?table=" + TABLE_NAME;
             const UPDATE_API = "/app/admin/table/update";
             const DELETE_API = "/app/admin/table/delete";
@@ -130,7 +130,7 @@
                                 };
                             } else if (control === 'uploadimage') {
                                 schema.templet = function (d) {
-                                    return '<img src="'+encodeURI(d[field])+'" style="max-width:32px;max-height:32px;" />'
+                                    return '<img src="'+encodeURI(d[field])+'" style="max-width:32px;max-height:32px;" />';
                                 };
                             } else if (['select', 'selectmulti', 'treeselect', 'treeselectmulti'].indexOf(control) !== -1) {
                                 let props = getProps(item.control_args);

src/plugin/admin/public/admin/css/reset.css

@@ -125,7 +125,7 @@ button {
     vertical-align: middle;
     position: relative;
 }
-.top-search-from .layui-input, .layui-select, .layui-textarea {
+.top-search-from .layui-input, .top-search-from .layui-select, .top-search-from .layui-textarea {
     width: 270px;
 }
 .top-search-from .item-inline .layui-form-item .layui-input-block {