feat:1、增加登录注册跨站攻击防护

2、移除上传图片默认的域名

conf/enumerate.go

@@ -234,10 +234,8 @@ func URLForWithCdnImage(p string) string {
 	cdn := beego.AppConfig.DefaultString("cdnimg", "")
 	//如果没有设置cdn，则使用baseURL拼接
 	if cdn == "" {
-		baseUrl := beego.AppConfig.DefaultString("baseurl", "")
+		baseUrl := beego.AppConfig.DefaultString("baseurl", "/")
-		if baseUrl == "" {
+
-			baseUrl = BaseUrl
-		}
 		if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") {
 			return baseUrl + p[1:]
 		}
@@ -267,10 +265,8 @@ func URLForWithCdnCss(p string, v ...string) string {
 	}
 	//如果没有设置cdn，则使用baseURL拼接
 	if cdn == "" {
-		baseUrl := beego.AppConfig.DefaultString("baseurl", "")
+		baseUrl := beego.AppConfig.DefaultString("baseurl", "/")
-		if baseUrl == "" {
+
-			baseUrl = BaseUrl
-		}
 		if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") {
 			return baseUrl + p[1:]
 		}
@@ -302,10 +298,8 @@ func URLForWithCdnJs(p string, v ...string) string {
 
 	//如果没有设置cdn，则使用baseURL拼接
 	if cdn == "" {
-		baseUrl := beego.AppConfig.DefaultString("baseurl", "")
+		baseUrl := beego.AppConfig.DefaultString("baseurl", "/")
-		if baseUrl == "" {
+
-			baseUrl = BaseUrl
-		}
 		if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") {
 			return baseUrl + p[1:]
 		}

controllers/AccountController.go

@@ -12,6 +12,7 @@ import (
 	"github.com/lifei6671/mindoc/conf"
 	"github.com/lifei6671/mindoc/models"
 	"github.com/lifei6671/mindoc/utils"
+	"html/template"
 )
 
 // AccountController 用户登录与注册
@@ -19,9 +20,39 @@ type AccountController struct {
 	BaseController
 }
 
+func (c *AccountController) Prepare() {
+	c.BaseController.Prepare()
+	c.EnableXSRF = true
+	c.Data["xsrfdata"]=template.HTML(c.XSRFFormHTML())
+	if c.Ctx.Input.IsPost() {
+		token := c.Ctx.Input.Query("_xsrf")
+		if token == "" {
+			token = c.Ctx.Request.Header.Get("X-Xsrftoken")
+		}
+		if token == "" {
+			token = c.Ctx.Request.Header.Get("X-Csrftoken")
+		}
+		if token == "" {
+			if c.IsAjax() {
+				c.JsonResult(403,"非法请求")
+			} else {
+				c.ShowErrorPage(403, "非法请求")
+			}
+		}
+		xsrfToken := c.XSRFToken()
+		if xsrfToken != token {
+			if c.IsAjax() {
+				c.JsonResult(403,"非法请求")
+			} else {
+				c.ShowErrorPage(403, "非法请求")
+			}
+		}
+	}
+}
 // Login 用户登录
 func (c *AccountController) Login() {
 	c.Prepare()
+
 	c.TplName = "account/login.tpl"
 
 	if member, ok := c.GetSession(conf.LoginSessionName).(models.Member); ok && member.MemberId > 0 {

views/account/find_password_setp1.tpl

@@ -34,6 +34,7 @@
     <div class="row login">
         <div class="login-body">
             <form role="form" method="post" id="findPasswordForm">
+            {{ .xsrfdata }}
                 <h3 class="text-center">找回密码</h3>
                 <div class="form-group">
                     <div class="input-group">

views/account/find_password_setp2.tpl

@@ -34,6 +34,7 @@
     <div class="row login">
         <div class="login-body">
             <form role="form" method="post" id="findPasswordForm" action="{{urlfor "AccountController.ValidEmail"}}">
+            {{ .xsrfdata }}
                 <input type="hidden" name="token" value="{{.Token}}">
                 <input type="hidden" name="mail" value="{{.Email}}">
                 <h3 class="text-center">找回密码</h3>

views/account/login.tpl

@@ -29,6 +29,7 @@
     <div class="row login">
         <div class="login-body">
             <form role="form" method="post">
+            {{ .xsrfdata }}
                 <h3 class="text-center">用户登录</h3>
                 <div class="form-group">
                     <div class="input-group">

views/account/register.tpl

@@ -34,6 +34,7 @@
     <div class="row login">
         <div class="login-body">
             <form role="form" method="post" id="registerForm">
+            {{ .xsrfdata }}
                 <h3 class="text-center">用户注册</h3>
                 <div class="form-group">
                     <div class="input-group">