From 2dbfa1619b8f6dea2e4aa8e9723f20b741101538 Mon Sep 17 00:00:00 2001
From: liangkun <liangkun7173@hotmail.com>
Date: Mon, 8 Nov 2021 16:11:21 +0800
Subject: [PATCH] =?UTF-8?q?webapi=20=E6=B5=8B=E8=AF=95sql=E6=B3=A8?=
 =?UTF-8?q?=E5=85=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Learun.Application.WebApi/Modules/BaseApi.cs      | 11 +++++++++++
 .../Learun.Util/Learun.Util/Web/WebHelper.cs          |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/Learun.Framework.Ultimate V7/Learun.Application.WebApi/Modules/BaseApi.cs b/Learun.Framework.Ultimate V7/Learun.Application.WebApi/Modules/BaseApi.cs
index 79f18c5e3..8b543320f 100644
--- a/Learun.Framework.Ultimate V7/Learun.Application.WebApi/Modules/BaseApi.cs	
+++ b/Learun.Framework.Ultimate V7/Learun.Application.WebApi/Modules/BaseApi.cs	
@@ -175,6 +175,17 @@ namespace Learun.Application.WebApi
         /// <returns></returns>
         private Response BeforeRequest(NancyContext ctx)
         {
+            ctx.Request.Url.Query = Learun.Util.WebHelper.Formatstr(ctx.Request.Url.Query);
+            foreach (var p in ctx.Parameters)
+            {
+                if (p.ParameterType == typeof(string))
+                {
+                    if (ctx.Parameters[p.ParameterName] != null)
+                    {
+                        ctx.Parameters[p.ParameterName] = Learun.Util.WebHelper.Formatstr(ctx.Parameters[p.ParameterName].ToString());
+                    }
+                }
+            }
             string path = ctx.ResolvedRoute.Description.Path;
             //验证登录状态
             ReqParameter req = this.Bind<ReqParameter>();
diff --git a/Learun.Framework.Ultimate V7/Learun.Framework.Module/Learun.Util/Learun.Util/Web/WebHelper.cs b/Learun.Framework.Ultimate V7/Learun.Framework.Module/Learun.Util/Learun.Util/Web/WebHelper.cs
index a05421892..68ae49dd7 100644
--- a/Learun.Framework.Ultimate V7/Learun.Framework.Module/Learun.Util/Learun.Util/Web/WebHelper.cs	
+++ b/Learun.Framework.Ultimate V7/Learun.Framework.Module/Learun.Util/Learun.Util/Web/WebHelper.cs	
@@ -345,6 +345,7 @@ namespace Learun.Util
             System.Text.RegularExpressions.Regex regex10 = new System.Text.RegularExpressions.Regex(@"select", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
             System.Text.RegularExpressions.Regex regex11 = new System.Text.RegularExpressions.Regex(@"update", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
             System.Text.RegularExpressions.Regex regex12 = new System.Text.RegularExpressions.Regex(@"delete", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
+            System.Text.RegularExpressions.Regex regex13 = new System.Text.RegularExpressions.Regex(@"exec", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
             html = regex1.Replace(html, ""); //过滤<script></script>标记
             html = regex2.Replace(html, ""); //过滤href=javascript: (<A>) 属性
             html = regex3.Replace(html, " _disibledevent="); //过滤其它控件的on...事件
@@ -352,6 +353,7 @@ namespace Learun.Util
             html = regex10.Replace(html, "s_elect");
             html = regex11.Replace(html, "u_pudate");
             html = regex12.Replace(html, "d_elete");
+            html = regex13.Replace(html, "e_xec");
             html = html.Replace("'", "’");
             html = html.Replace("&nbsp;", " ");
             return html;