<%@page import="jcms.util.SafeUtil"%> <%@page import="java.util.UUID"%> <%@page language="java" contentType="text/html; charset=UTF-8"%> <%@page import="com.hanweb.common.util.Convert"%> <%@page import="com.hanweb.common.util.DateFormat"%> <%@page import="jcms.entity.module.Jcms_Idea_RevertEntity"%> <%@page import="jcms.blf.module.idea.RevertBLF"%> <%@page import="jcms.entity.module.Jcms_Idea_TopicEntity"%> <%@page import="jcms.blf.module.idea.TopicBLF"%> <%@page import="java.util.Date"%> <%@page import="jcms.util.AccessUtil"%> <%@page import="java.io.File"%> <% if(!AccessUtil.checkAccess(request)){ //阻止跨站点请求伪造 out.print(Convert.getAlterScript("location.href='../../';")); return; } /* CSRF防御 */ String crumb = (String) session.getAttribute("crumb"); //获取appId String strAppID = "1"; //获取webid int nWebID = Convert.getParameterInt(request,"webid",1); //外挂路径 String strSysPath = application.getRealPath(""); String strPath = strSysPath + File.separator + "jcms_files" + File.separator + "jcms" + strAppID + File.separator + "web" + nWebID + File.separator + "site" + File.separator; String strFilePath = strPath + "module/idea/config/config.xml"; String valicodeOpen = xmlFile.getContent("valicodeopen",strFilePath); String publisherOpen = xmlFile.getContent("publisheropen",strFilePath); String publisherMust = xmlFile.getContent("publishermust",strFilePath); String mailOpen = xmlFile.getContent("mailopen",strFilePath); String mailMust = xmlFile.getContent("mailmust",strFilePath); String phoneOpen = xmlFile.getContent("phoneopen",strFilePath); String phoneMust = xmlFile.getContent("phonemust",strFilePath); String qqOpen = xmlFile.getContent("qqopen",strFilePath); String qqMust = xmlFile.getContent("qqmust",strFilePath); String msnOpen = xmlFile.getContent("msnopen",strFilePath); String msnMust = xmlFile.getContent("msnmust",strFilePath); String addressOpen = xmlFile.getContent("addressopen",strFilePath); String addressMust = xmlFile.getContent("addressmust",strFilePath); String mailcodeOpen = xmlFile.getContent("mailcodeopen",strFilePath); String mailcodeMust = xmlFile.getContent("mailcodemust",strFilePath); String workOpen = xmlFile.getContent("workopen",strFilePath); String workMust = xmlFile.getContent("workmust",strFilePath); String titleOpen = xmlFile.getContent("titleopen",strFilePath); String titleMust = xmlFile.getContent("titlemust",strFilePath); String topicOpen = xmlFile.getContent("topicopen",strFilePath); String workItems = xmlFile.getContent("workitems",strFilePath); String jobOpen = xmlFile.getContent("jobopen",strFilePath); String jobMust = xmlFile.getContent("jobmust",strFilePath); %> <% int topicId = Convert.getParameterInt(request,"topicid"); if(strAppID.equals("")||nWebID==0){ out.println(Convert.getAlterScript("alert('参数错误！');")); out.println(Convert.getAlterScript("window.close();")); return; } TopicBLF topicBLF = new TopicBLF(strAppID,nWebID); String topicname=""; if(topicId!=0){ Jcms_Idea_TopicEntity topic_entity = new Jcms_Idea_TopicEntity(); topic_entity = topicBLF.getList(topicId); if(topic_entity==null){ out.println(Convert.getAlterScript("alert('该议题已被删除！');")); out.println(Convert.getAlterScript("top.window.close();")); return; } topicname=topic_entity.getvc_title(); Date nowDate = DateFormat.getDate(DateFormat.getStrCurrentDate("yyyy-MM-dd"),"yyyy-MM-dd"); Date beginDate = DateFormat.getDate(topic_entity.getdt_begindate(), "yyyy-MM-dd"); Date endDate = DateFormat.getDate(topic_entity.getdt_enddate(), "yyyy-MM-dd"); if(nowDate.before(beginDate)){ out.println(Convert.getAlterScript("alert('该议题尚未开始意见征集！');")); out.println(Convert.getAlterScript("window.close();")); return; }else if(nowDate.after(endDate)){ out.println(Convert.getAlterScript("alert('该议题已结束意见征集！');")); out.println(Convert.getAlterScript("window.close();")); return; } } String action = Convert.getParameter(request,"action","",true,true); if(SafeUtil.isSqlAndXss(action)) { out.println("参数包含非法字符，禁止访问"); return; } String content = Convert.getParameterNoTrim(request,"vc_Content",true,true); if(SafeUtil.isSqlAndXss(content)) { out.println("参数包含非法字符，禁止访问"); return; } String sendName = Convert.getParameter(request,"vc_SendName","",true,true); if(SafeUtil.isSqlAndXss(sendName)) { out.println("参数包含非法字符，禁止访问"); return; } String tel = Convert.getParameter(request,"vc_Tel","",true,true); if(SafeUtil.isSqlAndXss(tel)) { out.println("参数包含非法字符，禁止访问"); return; } String qq = Convert.getParameter(request,"vc_Qq","",true,true); if(SafeUtil.isSqlAndXss(qq)) { out.println("参数包含非法字符，禁止访问"); return; } String msn = Convert.getParameter(request,"vc_Msn","",true,true); if(SafeUtil.isSqlAndXss(msn)) { out.println("参数包含非法字符，禁止访问"); return; } String email = Convert.getParameter(request,"vc_Email","",true,true); if(SafeUtil.isSqlAndXss(email)) { out.println("参数包含非法字符，禁止访问"); return; } String address = Convert.getParameter(request,"vc_Address","",true,true); if(SafeUtil.isSqlAndXss(address)) { out.println("参数包含非法字符，禁止访问"); return; } String mailCode = Convert.getParameter(request,"vc_MailCode","",true,true); if(SafeUtil.isSqlAndXss(mailCode)) { out.println("参数包含非法字符，禁止访问"); return; } String ip = Convert.getParameter(request,"vc_IP","",true,true); if(SafeUtil.isSqlAndXss(ip)) { out.println("参数包含非法字符，禁止访问"); return; } if(ip.length() >0 && ip.indexOf(",") != -1){ ip = ip.substring(0, ip.indexOf(",")); } String date = Convert.getParameter(request,"vc_Date","",true,true); if(SafeUtil.isSqlAndXss(date)) { out.println("参数包含非法字符，禁止访问"); return; } String code = Convert.getParameter(request,"vc_ValiCode","",true,true); if(SafeUtil.isSqlAndXss(code)) { out.println("参数包含非法字符，禁止访问"); return; } String work = Convert.getParameter(request,"vc_Work","",true,true); if(SafeUtil.isSqlAndXss(work)) { out.println("参数包含非法字符，禁止访问"); return; } String title = Convert.getParameter(request,"vc_Title","",true,true); if(SafeUtil.isSqlAndXss(title)) { out.println("参数包含非法字符，禁止访问"); return; } String job = Convert.getParameter(request,"vc_Job","",true,true); if(SafeUtil.isSqlAndXss(job)) { out.println("参数包含非法字符，禁止访问"); return; } if(action.equals("A")){ if (crumb == null || crumb.length() == 0) { out.println(Convert.getAlterScript("alert('session已失效！');")); return; } else { String crumbParameter = Convert.getParameter(request, "crumb"); if(SafeUtil.isSqlAndXss(crumbParameter)) { out.println("参数包含非法字符，禁止访问"); return; } if (crumbParameter.length() == 0 || !crumbParameter.equals(crumb)) { out.println(Convert.getAlterScript("alert('session已失效！');")); return; } } if (valicodeOpen.equals("on")&&!code.equals(session.getAttribute("idea"))) { out.println(Convert.getAlterScript("alert('验证码输入错误');parent.document.getElementById('vc_ValiCode').value='';" + "parent.document.getElementById('rand').src='./que_code.jsp?random=" + Math.random() + "'")); return; }else{ Jcms_Idea_RevertEntity entity = new Jcms_Idea_RevertEntity(); RevertBLF blf = new RevertBLF(strAppID,nWebID); entity.seti_topicid(topicId); entity.setvc_content(content); entity.setvc_sendname(sendName); entity.setvc_tel(tel); entity.setvc_qq(qq); entity.setvc_msn(msn); entity.setvc_email(email); entity.setvc_address(address); entity.setvc_mailcode(mailCode); entity.setvc_ip(ip); entity.setdt_senddate(date); entity.setvc_work(work); entity.setvc_title(title); if(blf.doInsertExcute(entity)){ out.println(Convert.getAlterScript("alert('意见发表成功，请等待管理员审核!')")); }else{ out.println(Convert.getAlterScript("alert('意见发表失败!')")); } out.println(Convert.getAlterScript("parent.location.href='./opr_revert.jsp?webid="+nWebID +"&appid="+strAppID+"&topicid="+topicId+"'")); } } String workOptions = ""; if(workItems.length()>0){ String[] workArray = workItems.split(","); if(workArray.length>0){ for(int i=0;i"+workArray[i]+""; } } String topicOptions = topicBLF.getTopicOptions(topicname); if(!action.equals("A")){ /* CSRF防御 */ crumb = UUID.randomUUID().toString(); session.setAttribute("crumb", crumb); } %>

" /> <%if(publisherOpen.equals("on")){%> <%}%> <%if(mailOpen.equals("on")){%> <%}%> <%if(phoneOpen.equals("on")){%> <%}%> <%if(workOpen.equals("on")){%> <%}%> <%if(qqOpen.equals("on")){%> <%}%> <%if(msnOpen.equals("on")){%> <%}%> <%if(addressOpen.equals("on")){%> <%}%> <%if(mailcodeOpen.equals("on")){%> <%}%><%if(topicOpen.equals("on")){%> <%}%> <%if(titleOpen.equals("on")){%> <%}%> <%if(valicodeOpen.equals("on")){ %> <%}%>

发表人：	<%if(publisherMust.equals("on")){%>*<%}%>
电子邮箱：	<%if(mailMust.equals("on")){%>*<%}%>
联系电话：	<%if(phoneMust.equals("on")){%>*<%}%>
您的职业：	<%if(workMust.equals("on")){%>*<%}%>	--请选择您的职业-- <%=workOptions%>
QQ：	<%if(qqMust.equals("on")){%>*<%}%>
MSN：	<%if(msnMust.equals("on")){%>*<%}%>
联系地址：	<%if(addressMust.equals("on")){%>*<%}%>
邮政编码：	<%if(mailcodeMust.equals("on")){%>*<%}%>
议题：	*	<%=topicOptions%>
标题：	<%if(titleMust.equals("on")){%>*<%}%>	(最多25个字)
意见内容：	*	<%=content %>
验证码：	*