From fb6c6bffe2d8eb756aa9088f8f71fd4ec86b4944 Mon Sep 17 00:00:00 2001
From: Karson <karsonzhang@163.com>
Date: Tue, 29 Aug 2017 19:10:38 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E8=8F=9C=E5=8D=95=E6=97=A0?=
 =?UTF-8?q?=E6=B3=95=E9=80=9A=E8=BF=87=E5=91=BD=E4=BB=A4=E8=A1=8C=E5=88=A0?=
 =?UTF-8?q?=E9=99=A4=E7=9A=84BUG=20=E4=BF=AE=E5=A4=8D=E8=AF=AD=E8=A8=80?=
 =?UTF-8?q?=E6=A0=87=E8=AF=86=E5=8F=AF=E8=83=BD=E5=AF=BC=E8=87=B4=E7=9A=84?=
 =?UTF-8?q?XSS=E7=9A=84BUG=20=E4=BF=AE=E5=A4=8D=E8=B7=AF=E7=94=B1=E6=9C=AA?=
 =?UTF-8?q?=E5=AF=B9admin=E6=A8=A1=E5=9D=97=E5=A4=B1=E6=95=88=E7=9A=84BUG?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/admin/command/Menu.php         | 3 +--
 application/common/controller/Backend.php  | 2 +-
 application/common/controller/Frontend.php | 2 +-
 application/route.php                      | 2 +-
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/application/admin/command/Menu.php b/application/admin/command/Menu.php
index 04164673..4fc80c10 100644
--- a/application/admin/command/Menu.php
+++ b/application/admin/command/Menu.php
@@ -31,7 +31,6 @@ class Menu extends Command
     {
         $this->model = new AuthRule();
         $adminPath = dirname(__DIR__) . DS;
-        $moduleName = 'admin';
         //控制器名
         $controller = $input->getOption('controller') ?: '';
         if (!$controller)
@@ -47,7 +46,7 @@ class Menu extends Command
                 throw new Exception("could not delete all menu");
             }
             $ids = [];
-            $list = $this->model->where('name', 'like', "/{$moduleName}/" . strtolower($controller) . "%")->select();
+            $list = $this->model->where('name', 'like', strtolower($controller) . "%")->select();
             foreach ($list as $k => $v)
             {
                 $output->warning($v->name);
diff --git a/application/common/controller/Backend.php b/application/common/controller/Backend.php
index 52277ff5..7c5b56d9 100644
--- a/application/common/controller/Backend.php
+++ b/application/common/controller/Backend.php
@@ -135,7 +135,7 @@ class Backend extends Controller
         }
 
         // 语言检测
-        $lang = Lang::detect();
+        $lang = strip_tags(Lang::detect());
 
         $site = Config::get("site");
 
diff --git a/application/common/controller/Frontend.php b/application/common/controller/Frontend.php
index 01ef1c65..13d44e9e 100644
--- a/application/common/controller/Frontend.php
+++ b/application/common/controller/Frontend.php
@@ -30,7 +30,7 @@ class Frontend extends Controller
         }
 
         // 语言检测
-        $lang = Lang::detect();
+        $lang = strip_tags(Lang::detect());
 
         $site = Config::get("site");
 
diff --git a/application/route.php b/application/route.php
index a3a190d3..8011fca3 100755
--- a/application/route.php
+++ b/application/route.php
@@ -11,7 +11,7 @@
 // +----------------------------------------------------------------------
 
 //如果有定义绑定后台模块则禁用路由规则 
-if (defined('BIND_MODULE') && BIND_MODULE == 'admin')
+if (\think\Route::getBind('module') == 'admin')
     return [];
 
 return [