forked from YvetteLau/Blog
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathserver.js
More file actions
106 lines (93 loc) · 3.43 KB
/
server.js
File metadata and controls
106 lines (93 loc) · 3.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
/**
* 用户登录之后,返回登录标识 cookie
*/
const express = require('express');
const app = express();
const path = require('path');
const bodyParser = require('body-parser');
const cookieParser = require('cookie-parser');
//设置路径
app.use(express.static(path.join(__dirname, 'src')));
app.use(express.static(path.join(__dirname, '../')));
//将参数转换成对象
app.use(bodyParser.urlencoded({ extended: true }));
//req.cookie[xxx] 获取cookie
app.use(cookieParser());
//用户列表
let userList = [{ username: 'yvette', password: 'yvette' }, { username: 'star', password: 'star' }];
let SESSION_ID = 'connect.sid';
let session = {};
//登录接口
app.post('/api/login', (req, res) => {
let { username, password } = req.body;
let user = userList.find(item => item.username === username && item.password === password);
if (user) {
//用户登录后,给一个标识(cookie登录)
const cardId = Math.random() + Date.now();
session[cardId] = { user };
res.cookie(SESSION_ID, cardId);
res.json({ code: 0 });
} else {
res.json({ code: 1, error: `${username} does not exist or password mismatch` });
}
});
//1.反射型XSS攻击: http://localhost:3000/error?type=<script>alert('恶意内容')</script>
//chrome能够检测到Url上的XSS攻击(可在firefox或者是其它浏览器测试)
app.get('/error', function (req, res) {
res.send(`${req.query.type}`); //拿到 url 上的 type 参数,并返回给前端
});
app.get('/welcome', function (req, res) {
//对查询参数进行编码,避免XSS攻击
res.send(`${encodeURIComponent(req.query.type)}`);
//对type查询参数进行编码,即可解决当前的XSS攻击(可重启服务查看)
// res.send(`${encodeURIComponent(req.query.type)}`);
});
//评论列表
let comments = [
{ username: 'yvette', content: '大家好' },
{ username: 'yvette', content: '我是刘小夕' },
{ username: 'star', content: '大家好,我是Star' },
]
app.get('/getComments', function (req, res) {
res.json({ code: 0, comments });
});
app.post('/addComment', function (req, res) {
//cardId (req.cookies[SESSION_ID])要派上用场啦~
let info = session[req.cookies[SESSION_ID]];
if (info) {
//用户已经登录
let username = info.user.username;
comments.push({ username, content: req.body.comment });
res.json({ code: 0, comments });
} else {
res.json({ code: 1, error: 'user not logged in.' });
}
});
//安全的评论列表
let comments2 = [
{ username: 'yvette', content: '大家好' },
{ username: 'yvette', content: '我是刘小夕' },
{ username: 'star', content: '大家好,我是Star' },
]
app.get('/getComments2', function (req, res) {
res.json({ code: 0, comments: comments2 });
});
function encodeHtml(str) {
return str.replace(/"/g, '"')
.replace(/'/g, ''')
.replace(/</g, '<')
.replace(/>/g, '>');
}
app.post('/addComment2', function (req, res) {
//cardId (req.cookies[SESSION_ID])要派上用场啦~
let info = session[req.cookies[SESSION_ID]];
if (info) {
//用户已经登录
let username = info.user.username;
comments2.push({ username, content: encodeHtml(req.body.comment) });
res.json({ code: 0, comments: comments2 });
} else {
res.json({ code: 1, error: 'user not logged in.' });
}
});
app.listen(3000);