From 64e402d6e31a85a772b3837c0110b56a7d6ddb10 Mon Sep 17 00:00:00 2001
From: wanglei <lei.wang@keymantech.cn>
Date: Wed, 28 Sep 2022 02:56:58 +0800
Subject: [PATCH 1/2] xss lession 1

---
 src/middleware/ctx-catch/index.js |  1 -
 src/router/api/api.test.js        | 17 +++++++++++++++++
 src/router/web/web.home.js        |  7 +++++--
 src/view/index.html               |  8 ++++++++
 4 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/src/middleware/ctx-catch/index.js b/src/middleware/ctx-catch/index.js
index af6d26d..988429e 100644
--- a/src/middleware/ctx-catch/index.js
+++ b/src/middleware/ctx-catch/index.js
@@ -7,7 +7,6 @@ module.exports = () => {
         try {
             await next();
         } catch (error) {
-            console.error(error);
             ctx.restError('Oh~Oh~Oh!!!! Find An Error Inner Api');
         }
     };
diff --git a/src/router/api/api.test.js b/src/router/api/api.test.js
index 011abee..18ada02 100644
--- a/src/router/api/api.test.js
+++ b/src/router/api/api.test.js
@@ -89,5 +89,22 @@ const PetMongo = require('../../model/pet.mongo');
     });
 }
 
+// xss
+{
+    router.post('/test/xss/v:id', async (ctx, next) => {
+        const query = ctx.query;
+        const body = ctx.request.body;
+        const params = ctx.params;
+
+        await PetMongo.create({
+            name: query.name,
+            namenick: query.namenick,
+            email: body.email,
+            password: body.password
+        });
+
+        ctx.json({ query, body, params });
+    });
+}
 
 module.exports = router;
diff --git a/src/router/web/web.home.js b/src/router/web/web.home.js
index d8523eb..f0a2113 100644
--- a/src/router/web/web.home.js
+++ b/src/router/web/web.home.js
@@ -1,14 +1,17 @@
 const Router = require('koa-router');
-
 const router = new Router();
+const PetMongo = require('../../model/pet.mongo');
 
 router.get('/', async (ctx, next) => {
     try {
         ctx.state.where = {
             is: 'adc',
         };
+        let pet = await PetMongo.findById("63333c8adb7ec2fc2de2e0e8");
         await ctx.render('index.html', {
-            test: { time: new Date().getTime() },
+            test: { time: new Date().getTime(), password: pet.password },
+            password: pet.password,
+            axss_link: "javascript:alert(456)"
         });
     } catch (e) {
         ctx.response.body = e.message;
diff --git a/src/view/index.html b/src/view/index.html
index d4cb85b..0da3f81 100644
--- a/src/view/index.html
+++ b/src/view/index.html
@@ -12,7 +12,15 @@
         <h1>{{where.is}}</h1>
         <h2>hello world</h2>
         <h1>{{test.time}}</h1>
+        <br/>
 
+        <h1>XSS</h1>
+        <h1>{{test|dump}}</h1>
+        <h1>{{axss}}</h1>
+        <a href="{{axss_link}}">link</a>
+        <img src="{{axss_link}}" onerror="onerror"/>
+        <h1>{{password}}</h1>
+        
         <div><a target="blank" href="/wechat">聊天室</a></div>
         <div><a target="blank" href="/socketio">聊天室2</a></div>
 

From d0ad17cddc55b5b98ac36a3633040fd7e4736c48 Mon Sep 17 00:00:00 2001
From: wanglei <lei.wang@keymantech.cn>
Date: Sun, 2 Oct 2022 02:40:52 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E7=BB=9F=E4=B8=80=E7=AB=AF=E5=8F=A3?=
 =?UTF-8?q?=E5=8F=B7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 History.md   | 2 ++
 INSTALL.md   | 3 +++
 package.json | 4 ++--
 3 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 History.md
 create mode 100644 INSTALL.md

diff --git a/History.md b/History.md
new file mode 100644
index 0000000..4d2be33
--- /dev/null
+++ b/History.md
@@ -0,0 +1,2 @@
+# 项目改动历史
+1. 
diff --git a/INSTALL.md b/INSTALL.md
new file mode 100644
index 0000000..669b61d
--- /dev/null
+++ b/INSTALL.md
@@ -0,0 +1,3 @@
+# 模块安装说明
+
+1.
diff --git a/package.json b/package.json
index f745908..65ef21e 100644
--- a/package.json
+++ b/package.json
@@ -6,8 +6,8 @@
     "author": "debugcode",
     "license": "ISC",
     "scripts": {
-        "api": "cross-env NODE_ENV=development PORT=10091 nodemon --watch src --ignore src/web.server.js --ignore 'src/assets/uploaded/*' src/api.server.js",
-        "web": "cross-env NODE_ENV=development PORT=10092 nodemon --watch src --ignore src/api.server.js --ignore 'src/assets/uploaded/*' src/web.server.js",
+        "web": "cross-env NODE_ENV=development PORT=10091 nodemon --watch src --ignore src/api.server.js --ignore 'src/assets/uploaded/*' src/web.server.js",
+        "api": "cross-env NODE_ENV=development PORT=10092 nodemon --watch src --ignore src/web.server.js --ignore 'src/assets/uploaded/*' src/api.server.js",
         "pm2-dev": "pm2 startOrRestart ecosystem.config.js --only 'web-development, api-development' --env development",
         "pm2-test": "pm2 startOrRestart ecosystem.config.js --only 'web-test, api-test' --env test",
         "pm2": "pm2 startOrRestart ecosystem.config.js --only 'web-production, api-production' --env production",