fix: 违禁词检测增加对昵称检测 (#354)

imaegoo · web-flow · commit 4a145a533670 · 2022-04-28T20:48:17.000+08:00
* fix: 违禁词检测增加对昵称检测
* fix: 优化安全域名判断
* fix: bump version
diff --git a/docs/.vuepress/theme/layouts/Layout.vue b/docs/.vuepress/theme/layouts/Layout.vue
@@ -13,7 +13,7 @@
 
         <!-- Twikoo -->
         <div id="twikoo"></div>
-        <script src="https://cdn.jsdelivr.net/npm/twikoo@1.5.4/dist/twikoo.all.min.js" ref="twikooJs"></script>
+        <script src="https://cdn.jsdelivr.net/npm/twikoo@1.5.5/dist/twikoo.all.min.js" ref="twikooJs"></script>
       </div>
     </template>
   </ParentLayout>
diff --git a/docs/quick-start.md b/docs/quick-start.md
@@ -44,7 +44,7 @@ exports.main = require('twikoo-func').main
 8. 创建完成后，点击“twikoo"进入云函数详情页，进入“函数代码”标签，点击“文件 - 新建文件”，输入 `package.json`，回车
 9. 复制以下代码、粘贴到代码框中，点击“保存并安装依赖”
 ``` json
-{ "dependencies": { "twikoo-func": "1.5.4" } }
+{ "dependencies": { "twikoo-func": "1.5.5" } }
 ```
 
 ### 命令行部署
@@ -175,7 +175,7 @@ twikoo:
 
 ``` html
 <div id="tcomment"></div>
-<script src="https://cdn.jsdelivr.net/npm/twikoo@1.5.4/dist/twikoo.all.min.js"></script>
+<script src="https://cdn.jsdelivr.net/npm/twikoo@1.5.5/dist/twikoo.all.min.js"></script>
 <script>
 twikoo.init({
   envId: '您的环境id', // 腾讯云环境填 envId；Vercel 环境填地址（https://xxx.vercel.app）
@@ -193,7 +193,7 @@ twikoo.init({
 
 请参考爆米兔前端静态资源库 [https://cdn.baomitu.com/twikoo](https://cdn.baomitu.com/twikoo)
 
-引入的 CDN 链接替换为如下即可：`https://lib.baomitu.com/twikoo/1.5.4/twikoo.all.min.js`
+引入的 CDN 链接替换为如下即可：`https://lib.baomitu.com/twikoo/1.5.5/twikoo.all.min.js`
 
 ## 开启管理面板
 
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "twikoo",
-  "version": "1.5.4",
+  "version": "1.5.5",
   "description": "A simple comment system based on Tencent CloudBase (tcb).",
   "keywords": ["twikoojs", "comment", "comment-system", "cloudbase", "vercel"],
   "author": "imaegoo <hello@imaegoo.com> (https://github.com/imaegoo)",
diff --git a/src/function/twikoo/index.js b/src/function/twikoo/index.js
@@ -1123,7 +1123,7 @@ async function parse (comment) {
     comment: DOMPurify.sanitize(comment.comment, { FORBID_TAGS: ['style'], FORBID_ATTR: ['style'] }),
     pid: comment.pid ? comment.pid : comment.rid,
     rid: comment.rid,
-    isSpam: isAdminUser ? false : preCheckSpam(comment.comment),
+    isSpam: isAdminUser ? false : preCheckSpam(comment),
     created: timestamp,
     updated: timestamp
   }
@@ -1171,7 +1171,7 @@ async function limitFilter () {
 }
 
 // 预垃圾评论检测
-function preCheckSpam (comment) {
+function preCheckSpam ({ comment, nick }) {
   // 长度限制
   let limitLength = parseInt(config.LIMIT_LENGTH)
   if (Number.isNaN(limitLength)) limitLength = 500
@@ -1185,7 +1185,7 @@ function preCheckSpam (comment) {
   } else if (config.FORBIDDEN_WORDS) {
     // 违禁词检测
     for (const forbiddenWord of config.FORBIDDEN_WORDS.split(',')) {
-      if (comment.indexOf(forbiddenWord.trim()) !== -1) {
+      if (comment.indexOf(forbiddenWord.trim()) !== -1 || nick.indexOf(forbiddenWord.trim()) !== -1) {
         console.log('包含违禁词，直接标记为垃圾评论~')
         return true
       }
diff --git a/src/function/twikoo/package.json b/src/function/twikoo/package.json
@@ -1,6 +1,6 @@
 {
   "name": "twikoo-func",
-  "version": "1.5.4",
+  "version": "1.5.5",
   "description": "A simple comment system based on Tencent CloudBase (tcb).",
   "author": "imaegoo <hello@imaegoo.com> (https://github.com/imaegoo)",
   "license": "MIT",
diff --git a/src/js/utils/i18n/i18n.js b/src/js/utils/i18n/i18n.js
@@ -88,6 +88,17 @@ const imageBedServices = [
   'smms'
 ].map(s => `"${s}"`)
 
+const defaultGravatar = [
+  '404',
+  'mp',
+  'identicon',
+  'monsterid',
+  'wavatar',
+  'retro',
+  'robohash',
+  'blank'
+].map(s => `"${s}"`)
+
 /**
  * 把所有语言翻译放在同一对象下可以减小打包 js 的体积 (~17kb)
  *
@@ -298,16 +309,16 @@ export default {
     'Comment placeholder. Use <br> to start a newline. Default: empty.'
   ],
   [S.ACI + '_CORS_ALLOW_ORIGIN']: [
-    'Vercel 安全域名，防止环境被盗用，请注意设置后将无法在本地（localhost）加载评论，默认为空',
-    'Vercel 安全域名，防止環境被盜用，請注意設置後將無法在本地（localhost）加載評論，默認為空',
-    'Vercel 安全域名，防止環境被盜用，請注意設置後將無法在本地（localhost）加載評論，默認為空',
-    'Vercel security domain name to prevent the environment from being stolen, please note that after setting, you will not be able to load comments locally (localhost), the default is empty'
+    'Vercel CORS 安全域名，注意：错误设置会导致无法加载，默认为空，格式为 https://blog.example.com',
+    'Vercel CORS 安全域名，注意：错误设置会导致无法加載，默認為空，格式为 https://blog.example.com',
+    'Vercel CORS 安全域名，注意：错误设置会导致无法加載，默認為空，格式为 https://blog.example.com',
+    'Vercel CORS allow origin, note: incorrect settings can cause loading failure. Default: blank, format: https://blog.example.com'
   ],
   [S.ACI + '_DEFAULT_GRAVATAR']: [
-    '默认的头像显示。默认值为 "identicon"，可选： 404、mp、identicon、monsterid、wavatar、retro、robohash、blank',
-    '預設的頭像顯示。預設值為 "identicon"，可選： 404、mp、identicon、monsterid、wavatar、retro、robohash、blank',
-    '預設的頭像顯示。預設值為 "identicon"，可選： 404、mp、identicon、monsterid、wavatar、retro、robohash、blank',
-    'Avatar placeholder. Default:  "identicon". Choose from: 404, mp, identicon, monsterid, wavatar, retro, robohash, blank.'
+    `默认的头像显示。默认值为 "identicon"，可选：${defaultGravatar.join('、')}`,
+    `預設的頭像顯示。預設值為 "identicon"，可選：${defaultGravatar.join('、')}`,
+    `預設的頭像顯示。預設值為 "identicon"，可選：${defaultGravatar.join('、')}`,
+    `Avatar placeholder. Default:  "identicon". Choose from: ${defaultGravatar.join(', ')}`
   ],
   [S.ACI + '_EMOTION_CDN']: [
     '表情 CDN，默认为：https://cdn.jsdelivr.net/gh/imaegoo/emotion/owo.json',
diff --git a/src/vercel-min/package.json b/src/vercel-min/package.json
@@ -1 +1 @@
-{ "dependencies": { "twikoo-vercel": "1.5.4" } }
+{ "dependencies": { "twikoo-vercel": "1.5.5" } }
diff --git a/src/vercel/api/index.js b/src/vercel/api/index.js
@@ -163,7 +163,7 @@ module.exports = async (requestArg, responseArg) => {
 function allowCors () {
   if (request.headers.origin) {
     response.setHeader('Access-Control-Allow-Credentials', true)
-    response.setHeader('Access-Control-Allow-Origin', config.CORS_ALLOW_ORIGIN || request.headers.origin)
+    response.setHeader('Access-Control-Allow-Origin', getAllowedOrigin())
     response.setHeader('Access-Control-Allow-Methods', 'POST')
     response.setHeader(
       'Access-Control-Allow-Headers',
@@ -172,6 +172,18 @@ function allowCors () {
   }
 }
 
+function getAllowedOrigin () {
+  const localhostRegex = /^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0)(:\d{1,5})?$/
+  if (localhostRegex.test(request.headers.origin)) {
+    return request.headers.origin
+  } else if (config.CORS_ALLOW_ORIGIN) {
+    // 许多用户设置安全域名时，喜欢带结尾的 "/"，必须处理掉
+    return config.CORS_ALLOW_ORIGIN.replace(/\/$/, '')
+  } else {
+    return request.headers.origin
+  }
+}
+
 function anonymousSignIn () {
   if (request.body) {
     if (request.body.accessToken) {
@@ -1133,7 +1145,7 @@ async function parse (comment) {
     comment: DOMPurify.sanitize(comment.comment, { FORBID_TAGS: ['style'], FORBID_ATTR: ['style'] }),
     pid: comment.pid ? comment.pid : comment.rid,
     rid: comment.rid,
-    isSpam: isAdminUser ? false : preCheckSpam(comment.comment),
+    isSpam: isAdminUser ? false : preCheckSpam(comment),
     created: timestamp,
     updated: timestamp
   }
@@ -1177,7 +1189,7 @@ async function limitFilter () {
 }
 
 // 预垃圾评论检测
-function preCheckSpam (comment) {
+function preCheckSpam ({ comment, nick }) {
   // 长度限制
   let limitLength = parseInt(config.LIMIT_LENGTH)
   if (Number.isNaN(limitLength)) limitLength = 500
@@ -1191,7 +1203,7 @@ function preCheckSpam (comment) {
   } else if (config.FORBIDDEN_WORDS) {
     // 违禁词检测
     for (const forbiddenWord of config.FORBIDDEN_WORDS.split(',')) {
-      if (comment.indexOf(forbiddenWord.trim()) !== -1) {
+      if (comment.indexOf(forbiddenWord.trim()) !== -1 || nick.indexOf(forbiddenWord.trim()) !== -1) {
         console.log('包含违禁词，直接标记为垃圾评论~')
         return true
       }
diff --git a/src/vercel/package.json b/src/vercel/package.json
@@ -1,6 +1,6 @@
 {
   "name": "twikoo-vercel",
-  "version": "1.5.4",
+  "version": "1.5.5",
   "description": "A simple comment system based on Tencent CloudBase (tcb).",
   "author": "imaegoo <hello@imaegoo.com> (https://github.com/imaegoo)",
   "license": "MIT",
diff --git a/src/version.js b/src/version.js
@@ -1,3 +1,3 @@
-const version = '1.5.4'
+const version = '1.5.5'
 
 export { version }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "twikoo",`
`3`		`- "version": "1.5.4",`
	`3`	`+ "version": "1.5.5",`
`4`	`4`	`"description": "A simple comment system based on Tencent CloudBase (tcb).",`
`5`	`5`	`"keywords": ["twikoojs", "comment", "comment-system", "cloudbase", "vercel"],`
`6`	`6`	`"author": "imaegoo <hello@imaegoo.com> (https://github.com/imaegoo)",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "twikoo-func",`
`3`		`- "version": "1.5.4",`
	`3`	`+ "version": "1.5.5",`
`4`	`4`	`"description": "A simple comment system based on Tencent CloudBase (tcb).",`
`5`	`5`	`"author": "imaegoo <hello@imaegoo.com> (https://github.com/imaegoo)",`
`6`	`6`	`"license": "MIT",`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{ "dependencies": { "twikoo-vercel": "1.5.4" } }`
	`1`	`+{ "dependencies": { "twikoo-vercel": "1.5.5" } }`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "twikoo-vercel",`
`3`		`- "version": "1.5.4",`
	`3`	`+ "version": "1.5.5",`
`4`	`4`	`"description": "A simple comment system based on Tencent CloudBase (tcb).",`
`5`	`5`	`"author": "imaegoo <hello@imaegoo.com> (https://github.com/imaegoo)",`
`6`	`6`	`"license": "MIT",`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`		`-const version = '1.5.4'`
	`1`	`+const version = '1.5.5'`
`2`	`2`
`3`	`3`	`export { version }`