def web_tpush(): #data = request.get_data().decode("utf-8") error = None res = {} #for i in data.split('&'): # key,value = i.split('=') # if key == 'cemail': # value = value.decode("utf-8")#request.form['cemail'] # res[key] = value #print(data,res) res['cname'] = request.form['cname'] res['cemail'] = request.form['cemail'] res['curl'] = request.form['curl'] res['ctext'] = request.form['text'] res['cwz'] = request.form['path'] cm = Comment.query.filter_by(cemail=res['cemail']).first() cmall = Comment.query.filter_by(cemail=res['cemail']).all() #print(type(cmall),cmall) for cmall_i in cmall: #print(cmall_i,type(cmall_i)) if cmall_i.cwz == res['cwz'] and cmall_i.ctext == res[ 'ctext'] and cmall_i.cname == res['cname']: return jsonify({'r': 1, 'error': '已经评论过了'}) addcm = Comment(cname=res['cname'], cemail=res['cemail'], cwz=res['cwz'], ctext=res['ctext']) addcm.ctime = datetime.now() #print(cm,type(cm)) try: if cm['cemail_hash']: addcm.cemail_hash = cm.cemail_hash except: pass addcm.cemail_hash = hashlib.md5(res['cemail'].encode('utf-8')).hexdigest() try: if cm.cemail_allow: addcm.cemail_allow = True db.session.add(addcm) db.session.commit() return jsonify({'r': 0, 'rs': '评论成功'}) except: pass print(res) xss_payload = [ 'drop', 'alert', 'script', 'onload', 'import url', 'expression', 'meta', 'link', 'frame', 'iframe', 'onerror', 'onunload', 'onkey', 'onmouse' ] for i in xss_payload: if i in res['ctext'].lower(): return jsonify({'r': 1, 'error': '评论存在风险,已经拿小本本记下来了'}) if not validateEmail(res['cemail']): error = '邮件格式错误' if error is not None: return jsonify({'r': 1, 'error': error}) addcm.cemail_allow = False db.session.add(addcm) db.session.commit() return jsonify({'r': 0, 'rs': '评论正在审核ing'})