From 44a918ad787a62a2fcecb7680d4d440451bdb3cc Mon Sep 17 00:00:00 2001 From: mac Date: Mon, 8 Jun 2026 17:24:45 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20R5=E4=BF=AE=E5=A4=8D=20=E2=80=94=20?= =?UTF-8?q?=E5=8F=8C=E9=87=8DHTML=E8=BD=AC=E4=B9=89/=E6=B6=88=E6=81=AF?= =?UTF-8?q?=E6=97=B6=E9=97=B4=E6=A0=BC=E5=BC=8Fm-d=20H:i?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/controller/Message.php | 11 ++--------- app/controller/Staff.php | 4 ++-- app/service/OrderService.php | 2 +- 3 files changed, 5 insertions(+), 12 deletions(-) diff --git a/app/controller/Message.php b/app/controller/Message.php index 10d3d52..0b473f3 100644 --- a/app/controller/Message.php +++ b/app/controller/Message.php @@ -6,7 +6,6 @@ use app\model\Message as MessageModel; class Message extends BaseController { - // BUG-03: 聊天记录读取保持原有逻辑 public function list() { $cardNo = $this->request->get('card_no', ''); @@ -30,7 +29,7 @@ class Message extends BaseController 'cardNo' => $m['card_no'], 'senderType' => $m['sender_type'], 'content' => $m['content'], - 'time' => date('H:i', strtotime($m['created_at'])), + 'time' => date('m-d H:i', strtotime($m['created_at'])), 'staffId' => $m['staff_id'] ?? null, ]; }, $messages); @@ -38,7 +37,6 @@ class Message extends BaseController return json(['code' => 0, 'data' => $list, 'msg' => 'ok']); } - // BUG-03: 增加输入校验 + XSS防护 public function send() { $cardNo = $this->request->post('cardNo', ''); @@ -46,24 +44,19 @@ class Message extends BaseController $content = $this->request->post('content', ''); $staffId = $this->request->post('staffId', null); - // 必填校验 if (empty($cardNo) || empty($content)) { return json(['code' => -1, 'data' => null, 'msg' => '参数不完整']); } - // senderType 枚举校验 if (!in_array($senderType, ['customer', 'staff', 'system'])) { return json(['code' => -1, 'data' => null, 'msg' => '发送者类型无效']); } - // 内容长度校验 (DB VARCHAR 500) if (mb_strlen($content) > 500) { return json(['code' => -1, 'data' => null, 'msg' => '消息过长,最多500字']); } - // XSS 防护 — HTML 转义 - $content = htmlspecialchars($content, ENT_QUOTES, 'UTF-8'); - + // 存储原始文本,Vue 模板 {{ }} 自动转义防 XSS $msg = MessageModel::create([ 'card_no' => $cardNo, 'sender_type' => $senderType, diff --git a/app/controller/Staff.php b/app/controller/Staff.php index 68037ad..7d19f19 100644 --- a/app/controller/Staff.php +++ b/app/controller/Staff.php @@ -63,7 +63,7 @@ class Staff extends BaseController 'status' => $o['status'], 'note' => $o['note'] ?? '', 'remindCount' => $o['remind_count'] ?? 0, - 'submittedAt' => date('H:i', strtotime($o['submitted_at'])), + 'submittedAt' => date('m-d H:i', strtotime($o['submitted_at'])), 'items' => array_map(function ($i) { return [ 'name' => $i['product_name'], @@ -108,7 +108,7 @@ class Staff extends BaseController 'status' => $order->status, 'note' => $order->note ?? '', 'remindCount' => $order->remind_count ?? 0, - 'submittedAt' => date('H:i', strtotime($order->submitted_at)), + 'submittedAt' => date('m-d H:i', strtotime($order->submitted_at)), 'items' => $items, ], 'msg' => 'ok', diff --git a/app/service/OrderService.php b/app/service/OrderService.php index 62663c3..d11b8f2 100644 --- a/app/service/OrderService.php +++ b/app/service/OrderService.php @@ -79,7 +79,7 @@ class OrderService 'status' => $o['status'], 'note' => $o['note'] ?? '', 'remindCount' => $o['remind_count'] ?? 0, - 'submittedAt' => date('H:i', strtotime($o['submitted_at'])), + 'submittedAt' => date('m-d H:i', strtotime($o['submitted_at'])), 'items' => array_map(function ($i) { return [ 'name' => $i['product_name'],