Merge remote-tracking branch 'origin/V4.0' into V5

Author: sanluan

publiccms-parent/publiccms-core/src/main/java/com/publiccms/common/tools/CmsFileUtils.java

@@ -15,6 +15,7 @@
 import java.nio.file.attribute.BasicFileAttributes;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.Date;
@@ -25,6 +26,7 @@
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.ArrayUtils;
+import org.apache.pdfbox.cos.COSArray;
 import org.apache.pdfbox.cos.COSBase;
 import org.apache.pdfbox.cos.COSDictionary;
 import org.apache.pdfbox.cos.COSName;
@@ -83,28 +85,34 @@ private CmsFileUtils() {
     /**
      * 
      */
-    public static final String[] DOCUMENT_FILE_SUFFIXS = new String[] { ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".ofd" };
+    public static final String[] DOCUMENT_FILE_SUFFIXS = new String[] { ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf",
+            ".txt", ".md", ".ofd" };
     /**
      * 
      */
-    public static final String[] VIDEO_FILE_SUFFIXS = new String[] { ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm" };
+    public static final String[] VIDEO_FILE_SUFFIXS = new String[] { ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg",
+            ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm" };
     /**
      * 
      */
-    public static final String[] OTHER_FILE_SUFFIXS = new String[] { ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".psd" };
+    public static final String[] OTHER_FILE_SUFFIXS = new String[] { ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso",
+            ".psd" };
     /**
      * 
      */
-    public static final String[] ALLOW_FILES = ArrayUtils
-            .addAll(ArrayUtils.addAll(ArrayUtils.addAll(ArrayUtils.addAll(AUDIO_FILE_SUFFIXS, VIDEO_FILE_SUFFIXS), IMAGE_FILE_SUFFIXS), DOCUMENT_FILE_SUFFIXS), OTHER_FILE_SUFFIXS);
+    public static final String[] ALLOW_FILES = ArrayUtils.addAll(
+            ArrayUtils.addAll(ArrayUtils.addAll(ArrayUtils.addAll(AUDIO_FILE_SUFFIXS, VIDEO_FILE_SUFFIXS), IMAGE_FILE_SUFFIXS),
+                    DOCUMENT_FILE_SUFFIXS),
+            OTHER_FILE_SUFFIXS);
     /**
      * 
      */
     public static final String[] IMAGE_FILETYPES = new String[] { CmsFileUtils.FILE_TYPE_IMAGE };
     /**
      * 
      */
-    public static final String[] OTHER_FILETYPES = new String[] { CmsFileUtils.FILE_TYPE_VIDEO, CmsFileUtils.FILE_TYPE_AUDIO, CmsFileUtils.FILE_TYPE_DOCUMENT, CmsFileUtils.FILE_TYPE_OTHER };
+    public static final String[] OTHER_FILETYPES = new String[] { CmsFileUtils.FILE_TYPE_VIDEO, CmsFileUtils.FILE_TYPE_AUDIO,
+            CmsFileUtils.FILE_TYPE_DOCUMENT, CmsFileUtils.FILE_TYPE_OTHER };
 
     /**
      * 
@@ -256,7 +264,8 @@ public static List<FileInfo> getFileList(String dirPath, boolean useFilter, Stri
                 Path fileNamePath = entry.getFileName();
                 if (null != fileNamePath) {
                     String fileName = fileNamePath.toString();
-                    if (!useFilter || !fileName.endsWith(".data") && !TemplateComponent.INCLUDE_DIRECTORY.equalsIgnoreCase(fileName)) {
+                    if (!useFilter
+                            || !fileName.endsWith(".data") && !TemplateComponent.INCLUDE_DIRECTORY.equalsIgnoreCase(fileName)) {
                         BasicFileAttributes attrs = Files.readAttributes(entry, BasicFileAttributes.class);
                         fileList.add(new FileInfo(fileName, attrs.isDirectory(), attrs));
                     }
@@ -560,20 +569,46 @@ public static boolean isSafe(String filepath, String suffix) {
 
     private static boolean isSafe(List<COSObject> pdfObjects) {
         for (COSObject object : pdfObjects) {
-            COSBase realObject = object.getObject();
-            if (realObject instanceof COSDictionary) {
-                COSDictionary dic = (COSDictionary) realObject;
-                if (null != dic.getDictionaryObject(COSName.JS) || null != dic.getDictionaryObject(COSName.JAVA_SCRIPT)) {
-                    return false;
-                }
-            } else if (realObject instanceof COSName && (COSName.JS.equals(realObject) || COSName.JAVA_SCRIPT.equals(realObject))) {
+            if (isUnSafe(object)) {
                 return false;
-
             }
         }
         return true;
     }
 
+    private static boolean isUnSafe(Collection<COSBase> pdfObjects) {
+        for (COSBase object : pdfObjects) {
+            if (isUnSafe(object)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private static boolean isUnSafe(COSObject object) {
+        return isUnSafe(object.getObject());
+    }
+
+    private static boolean isUnSafe(COSBase realObject) {
+        if (realObject instanceof COSDictionary) {
+            COSDictionary dic = (COSDictionary) realObject;
+            if (null != dic.getDictionaryObject(COSName.JS) || null != dic.getDictionaryObject(COSName.JAVA_SCRIPT)) {
+                return true;
+            }
+            return isUnSafe(dic.getValues());
+        } else if (realObject instanceof COSArray) {
+            COSArray array = (COSArray) realObject;
+            for (COSBase object : array) {
+                if (isUnSafe(object)) {
+                    return true;
+                }
+            }
+        } else if (realObject instanceof COSName && (COSName.JS.equals(realObject) || COSName.JAVA_SCRIPT.equals(realObject))) {
+            return false;
+        }
+        return false;
+    }
+
     /**
      * 获取文件内容 Get file content ファイルの内容を取得します
      *
@@ -658,7 +693,8 @@ public static String getSuffix(String originalFilename) {
         if (null != originalFilename) {
             int index = originalFilename.lastIndexOf(Constants.DOT);
             if (-1 < index) {
-                return originalFilename.substring(originalFilename.lastIndexOf(Constants.DOT), originalFilename.length()).toLowerCase();
+                return originalFilename.substring(originalFilename.lastIndexOf(Constants.DOT), originalFilename.length())
+                        .toLowerCase();
             }
         }
         return null;
@@ -711,7 +747,8 @@ public static String upload(byte[] data, String fileName) throws IllegalStateExc
      * @throws IllegalStateException
      * @throws IOException
      */
-    public static String upload(byte[] data, String fileName, String originalName, String metadataPath) throws IllegalStateException, IOException {
+    public static String upload(byte[] data, String fileName, String originalName, String metadataPath)
+            throws IllegalStateException, IOException {
         File dest = new File(fileName);
         dest.getParentFile().mkdirs();
         FileUtils.writeByteArrayToFile(dest, data);

publiccms-parent/publiccms-core/src/main/resources/initialization/sql/V4.0.202406-V4.0.202506.sql

@@ -340,4 +340,6 @@ INSERT INTO `sys_module_lang` VALUES ('place_import', 'ja', '導入');
 INSERT INTO `sys_module_lang` VALUES ('place_import', 'zh', '导入');
 -- 2025-06-25 --
 DELETE FROM sys_module_lang WHERE module_id in ('myself_content_view','myself_process_view');
-UPDATE sys_module SET menu = 0 WHERE id = 'content_check';
+UPDATE sys_module SET menu = 0 WHERE id = 'content_check';
+--2025-12-05 --
+UPDATE sys_module SET has_child = 1 WHERE id = 'myself_profile'; 

publiccms-parent/publiccms-core/src/main/resources/initialization/sql/init.sql

@@ -973,7 +973,7 @@ INSERT INTO `sys_module` VALUES ('myself_device', 'myself/userDeviceList', 'sysA
 INSERT INTO `sys_module` VALUES ('myself_log_login', 'myself/logLogin', NULL, 'icon-signin', 'myself', 1, 0, 4);
 INSERT INTO `sys_module` VALUES ('myself_log_operate', 'myself/logOperate', NULL, 'icon-list-alt', 'myself', 1, 0, 3);
 INSERT INTO `sys_module` VALUES ('myself_password', 'myself/password', 'changePassword', NULL, 'myself_profile', 1, 0, 0);
-INSERT INTO `sys_module` VALUES ('myself_profile', 'myself/profile', 'sysUser/update,myself/otpsettings,otpSetting/bind,otpSetting/unbind,webauthn/attestation/options,webauthn/attestation/result,webauthn/getCredentials,webauthn/deleteCredential', 'icon-user', 'myself', 1, 0, 0);
+INSERT INTO `sys_module` VALUES ('myself_profile', 'myself/profile', 'sysUser/update,myself/otpsettings,otpSetting/bind,otpSetting/unbind,webauthn/attestation/options,webauthn/attestation/result,webauthn/getCredentials,webauthn/deleteCredential', 'icon-user', 'myself', 1, 1, 0);
 INSERT INTO `sys_module` VALUES ('myself_token', 'myself/userTokenList', 'sysUserToken/delete', 'icon-unlock-alt', 'myself', 1, 0, 5);
 INSERT INTO `sys_module` VALUES ('operation', NULL, NULL, 'bi bi-binoculars-fill', NULL, 1, 1, 7);
 INSERT INTO `sys_module` VALUES ('order_confirm', 'tradeOrder/confirmParameters', 'tradeOrder/confirm', NULL, 'order_list', 0, 0, 0);

publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDictionary/add.html

@@ -38,7 +38,7 @@
                 <dt><@t.page 'id'/>:</dt>
                 <dd>
                     <input name="oldId" type="hidden" value="${(a.id.id)!}"/>
-                    <input class="required" name="id.id" remote="cmsDictionary/virify<#if id?has_content>?oldId=${(a.id.id)!}</#if>" data-msg-remote="<@t.message 'verify.hasExist.code'/>" type="text" size="20" maxlength="20" value="${(a.id.id)!}"/>
+                    <input class="required" name="id.id" remote="cmsDictionary/virify<#if id?has_content>?oldId=${(a.id.id?url)!}</#if>" data-msg-remote="<@t.message 'verify.hasExist.code'/>" type="text" size="20" maxlength="20" value="${(a.id.id)!}"/>
                 </dd>
             </dl>
             <dl class="nowrap">

publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDictionary/addChild.html

@@ -3,7 +3,7 @@
     <@cms.dictionaryDataList dictionaryId=dictionaryId parentValue=parentValue>
         <#list list as d>
         <li>
-            <a href="cmsDictionary/add.html?id=${object.id.id}&parentValue=${d.id.value}" target="navTab" rel="cmsDictionary/edit" title="<@t.page 'dictionary.edit'/>">${d.id.value}:${d.text}</a>
+            <a href="cmsDictionary/add.html?id=${object.id.id?url}&parentValue=${d.id.value}?url" target="navTab" rel="cmsDictionary/edit" title="<@t.page 'dictionary.edit'/>">${d.id.value}:${d.text}</a>
             <#if depth gt 1>
                 <@dictionaryTree dictionaryId=dictionaryId parentValue=d.id.value depth=depth-1/>
             </#if>
@@ -15,12 +15,12 @@
 <div class="pageFormContent" layoutH>
 <@cms.dictionary id=id>
     <ul class="tree treeFolder">
-        <li><a href="cmsDictionary/add.html?id=${object.id.id}" target="navTab" rel="cmsDictionary/edit"><i class="icon-edit"></i><@t.page 'dictionary.edit'/></a></li>
+        <li><a href="cmsDictionary/add.html?id=${object.id.id?url}" target="navTab" rel="cmsDictionary/edit"><i class="icon-edit"></i><@t.page 'dictionary.edit'/></a></li>
         <#if object.childDepth gt 0>
 <@cms.dictionaryDataList dictionaryId=object.id.id>
     <#list list as d>
         <li>
-            <a href="cmsDictionary/add.html?id=${object.id.id}&parentValue=${d.id.value}" target="navTab" rel="cmsDictionary/edit" title="<@t.page 'dictionary.edit'/>"> ${d.id.value}:${d.text}</a>
+            <a href="cmsDictionary/add.html?id=${object.id.id?url}&parentValue=${d.id.value?url}" target="navTab" rel="cmsDictionary/edit" title="<@t.page 'dictionary.edit'/>"> ${d.id.value}:${d.text}</a>
             <#if object.childDepth gt 1>
                 <@dictionaryTree dictionaryId=id parentValue=d.id.value depth=object.childDepth-1/>
             </#if>

publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDictionary/excludeTree.html

@@ -8,7 +8,7 @@
             <@cms.dictionaryExcludeValue dictionaryId=id excludeDictionaryId=excludeDictionaryId values=t.values><#assign excludeValueMap=map/></@cms.dictionaryExcludeValue>
             <#list list as d>
                 <li>
-                    <a href="cmsDictionary/excludeValue.html?id=${dictionaryId}&excludeDictionaryId=${excludeDictionaryId}&value=${d.id.value}&parentValue=${parentValue}" target="navTab" rel="cmsDictionary/excludeValue" title="<@t.page 'dictionary.exclude'/>">${d.id.value}:${d.text} <#if excludeValueMap[d.id.value]?has_content>(<@t.page 'dictionary.exclude_value'/>:<@cms.dictionaryData dictionaryId=excludeDictionaryId values=excludeValueMap[d.id.value].excludeValues><#list map as k,v>${v.text!}<#sep>,</#list></@cms.dictionaryData>)</#if></a>
+                    <a href="cmsDictionary/excludeValue.html?id=${dictionaryId?url}&excludeDictionaryId=${excludeDictionaryId?url}&value=${d.id.value?url}&parentValue=${parentValue?url}" target="navTab" rel="cmsDictionary/excludeValue" title="<@t.page 'dictionary.exclude'/>">${d.id.value}:${d.text} <#if excludeValueMap[d.id.value]?has_content>(<@t.page 'dictionary.exclude_value'/>:<@cms.dictionaryData dictionaryId=excludeDictionaryId values=excludeValueMap[d.id.value].excludeValues><#list map as k,v>${v.text!}<#sep>,</#list></@cms.dictionaryData>)</#if></a>
                     <@dictionaryTree dictionaryId=dictionaryId excludeDictionaryId=excludeDictionaryId parentValue=d.id.value depth=depth-1/>
                 </li>
             </#list>
@@ -27,7 +27,7 @@
         <ul class="tree treeFolder">
         <#if excludeDictionaryId?has_content>
             <li>
-                <a href="cmsDictionary/excludeTree.html?id=${object.id.id}" target="navTab" rel="cmsDictionary/excludeTree" title="<@t.page 'button.return'/>">
+                <a href="cmsDictionary/excludeTree.html?id=${object.id.id?url}" target="navTab" rel="cmsDictionary/excludeTree" title="<@t.page 'button.return'/>">
                     <@t.page 'button.return'/>
                 </a>
             </li>
@@ -38,7 +38,7 @@
                 <@cms.dictionaryExcludeValue dictionaryId=id excludeDictionaryId=excludeDictionaryId values=t.values><#assign excludeValueMap=map/></@cms.dictionaryExcludeValue>
                 <#list list as d>
             <li>
-                <a href="cmsDictionary/excludeValue.html?id=${object.id.id}&excludeDictionaryId=${excludeDictionaryId}&value=${d.id.value}" target="navTab" rel="cmsDictionary/excludeValue" title="<@t.page 'dictionary.exclude'/>"> ${d.id.value}:${d.text} <#if excludeValueMap[d.id.value]?has_content>(<@t.page 'dictionary.exclude_value'/>:<@cms.dictionaryData dictionaryId=excludeDictionaryId values=excludeValueMap[d.id.value].excludeValues><#list map as k,v>${v.text!}<#sep>,</#list></@cms.dictionaryData>)</#if></a>
+                <a href="cmsDictionary/excludeValue.html?id=${object.id.id?url}&excludeDictionaryId=${excludeDictionaryId?url}&value=${d.id.value?url}" target="navTab" rel="cmsDictionary/excludeValue" title="<@t.page 'dictionary.exclude'/>"> ${d.id.value}:${d.text} <#if excludeValueMap[d.id.value]?has_content>(<@t.page 'dictionary.exclude_value'/>:<@cms.dictionaryData dictionaryId=excludeDictionaryId values=excludeValueMap[d.id.value].excludeValues><#list map as k,v>${v.text!}<#sep>,</#list></@cms.dictionaryData>)</#if></a>
                 <#if object.childDepth gt 0>
                 <@dictionaryTree dictionaryId=id excludeDictionaryId=excludeDictionaryId parentValue=d.id.value depth=object.childDepth-1/>
                 </#if>
@@ -47,12 +47,12 @@
             </@cms.dictionaryDataList>
         <#else>
             <li>
-                <a href="cmsDictionary/exclude.html?id=${object.id.id}" target="navTab" rel="cmsDictionary/exclude"><i class="icon-edit"></i><@t.page 'dictionary.exclude'/></a>
+                <a href="cmsDictionary/exclude.html?id=${object.id.id?url}" target="navTab" rel="cmsDictionary/exclude"><i class="icon-edit"></i><@t.page 'dictionary.exclude'/></a>
             </li>
             <@cms.dictionaryExcludeList dictionaryId=object.id.id>
                 <#list list as d>
             <li>
-                <a href="cmsDictionary/excludeTree.html?id=${object.id.id}&excludeDictionaryId=${d.id.excludeDictionaryId}"  target="navTab" rel="cmsDictionary/excludeTree"> <@cms.dictionary id=d.id.excludeDictionaryId>${object.name}</@cms.dictionary></a>
+                <a href="cmsDictionary/excludeTree.html?id=${object.id.id?url}&excludeDictionaryId=${d.id.excludeDictionaryId?url}"  target="navTab" rel="cmsDictionary/excludeTree"> <@cms.dictionary id=d.id.excludeDictionaryId>${object.name}</@cms.dictionary></a>
             </li>
                 </#list>
             </@cms.dictionaryExcludeList>

publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDictionary/list.html

@@ -60,16 +60,16 @@
                 <td>${a.childDepth}</td>
                 <td class="wrap">
                 <#if a.childDepth gt 0>
-                    <a href="cmsDictionary/addChild.html?id=${a.id.id}" class="edit btnText blue" target="dialog" mask="true"><i class="icon-edit"></i><@t.page 'button.edit'/></a>
+                    <a href="cmsDictionary/addChild.html?id=${a.id.id?url}" class="edit btnText blue" target="dialog" mask="true"><i class="icon-edit"></i><@t.page 'button.edit'/></a>
                 <#else>
-                    <a href="cmsDictionary/add.html?id=${a.id.id}" class="edit btnText blue" target="navTab" rel="cmsDictionary/edit"><i class="icon-edit"></i><@t.page 'button.edit'/></a>
+                    <a href="cmsDictionary/add.html?id=${a.id.id?url}" class="edit btnText blue" target="navTab" rel="cmsDictionary/edit"><i class="icon-edit"></i><@t.page 'button.edit'/></a>
                 </#if>
                 <#if !site.parentId?has_content && authorizedMap['cmsDictionary/export']>
-                    <a href="cmsDictionary/export?id=${a.id.id}&_csrf=<@tools.csrfToken admin=true/>" class="edit btnText" target="_blank"><i class="bi bi-cloud-download"></i><@t.page "button.export"/></a>
+                    <a href="cmsDictionary/export?id=${a.id.id?url}&_csrf=<@tools.csrfToken admin=true/>" class="edit btnText" target="_blank"><i class="bi bi-cloud-download"></i><@t.page "button.export"/></a>
                 </#if>
-                <a href="cmsDictionary/excludeTree.html?id=${a.id.id}" class="btnText blue" target="navTab" rel="cmsDictionary/excludeTree" title="${a.name!}"><i class="bi bi-exclude"></i><@t.page 'dictionary.exclude'/></a>
+                <a href="cmsDictionary/excludeTree.html?id=${a.id.id?url}" class="btnText blue" target="navTab" rel="cmsDictionary/excludeTree" title="${a.name!}"><i class="bi bi-exclude"></i><@t.page 'dictionary.exclude'/></a>
                 <#if !site.parentId?has_content && authorizedMap['cmsDictionary/delete']>
-                    <a href="cmsDictionary/delete?ids=${a.id.id}&_csrf=<@tools.csrfToken admin=true/>" class="btnText warn" title="<@t.page 'confirm.delete'/>" target="ajaxTodo"><i class="icon-trash"></i><@t.page 'button.delete'/></a>
+                    <a href="cmsDictionary/delete?ids=${a.id.id?url}&_csrf=<@tools.csrfToken admin=true/>" class="btnText warn" title="<@t.page 'confirm.delete'/>" target="ajaxTodo"><i class="icon-trash"></i><@t.page 'button.delete'/></a>
                 </#if>
                 </td>
             </tr>

publiccms-parent/publiccms/src/main/resources/templates/admin/include_page/extend/dictionary.html

@@ -12,11 +12,11 @@
         </#if>
         <#if 'customform'!=type>
             <@sys.authorized roleIds=admin.roles url='cmsDictionary/add'>
-                <a class="button" href="common/dictionary.html?id=${dictionary.id.id}&inputName=${inputName?url}&required=${extend.required!}&multiple=${extend.multiple!}&value=${value!}" target="ajax" rel="${dictionaryId}"><i class="icon-refresh"></i><@t.page 'button.refresh'/></a>
+                <a class="button" href="common/dictionary.html?id=${dictionary.id.id?url}&inputName=${inputName?url}&required=${extend.required!}&multiple=${extend.multiple!}&value=${value!}" target="ajax" rel="${dictionaryId}"><i class="icon-refresh"></i><@t.page 'button.refresh'/></a>
                 <#if dictionary.childDepth gt 0>
-                    <a class="button" href="cmsDictionary/addChild.html?id=${dictionary.id.id}" target="dialog" mask="true"><@t.page 'dictionary.edit'/></a>
+                    <a class="button" href="cmsDictionary/addChild.html?id=${dictionary.id.id?url}" target="dialog" mask="true"><@t.page 'dictionary.edit'/></a>
                 <#else>
-                    <a class="button" href="cmsDictionary/add.html?id=${dictionary.id.id}" target="navTab" rel="cmsDictionary/edit"><@t.page 'dictionary.edit'/></a>
+                    <a class="button" href="cmsDictionary/add.html?id=${dictionary.id.id?url}" target="navTab" rel="cmsDictionary/edit"><@t.page 'dictionary.edit'/></a>
                 </#if>
             </@sys.authorized>
         </#if>