某X CMS任意文件上传、删除、XSS漏洞挖掘

<?php if ($_GET['art']): ?><dd><span class="state">内容生成完毕 !共 <?php echo $_GET['art']; ?> 条。</span></dd>

public function update(){    if(isset($_POST['send'])){      $this->_model->id=$_POST['id'];      $this->getPost();      if($this->_model->update_link()){        tool::layer_alert('链接修改成功!','?a=link',6);      }else{        tool::layer_alert('链接修改失败!','?a=link',5);      }    }    if(isset($_GET['id'])){      $this->_model->id=$_GET['id'];      $_link=$this->_model->get_linkOne();      if($_link){        $this->_tpl->assign('id',StripSlashes($_link[0]->id));        $this->_tpl->assign('linkname',StripSlashes($_link[0]->linkname));        $this->_tpl->assign('linkurl',StripSlashes($_link[0]->linkurl));        $this->_tpl->assign('prev_url',tool::getPrevPage());      }    }    $this->_tpl->display('admin/link/update.tpl');  }

//表单提交字符转义  static public function setFormString($_string) {    if (!get_magic_quotes_gpc()) {      if (Validate::isArray($_string)) {        foreach ($_string as $_key=>$_value) {          $_string[$_key] = self::setFormString($_value);  //不支持就用代替addslashes();        }      } else {        return addslashes($_string); //mysql_real_escape_string($_string, $_link);      }    }    return $_string;  }
  //转义过滤  static public function setRequest() {    if (isset($_GET)) $_GET = Tool::setFormString($_GET);    if (isset($_POST)) $_POST = Tool::setFormString($_POST);  }  //反转义  static public function getFormString($_object,$_field){    if ($_object) {      foreach ($_object as $_value) {        $_value->$_field = StripSlashes($_value->$_field);      }    }  }

class LogoUpload {  private $error;      //错误代码  private $maxsize;    //表单最大值  private $type;        //类型  private $typeArr = array('image/png','image/x-png');    //类型合集  private $path;        //目录路径  private $name;      //文件名  private $tmp;        //临时文件  private $linkpath;    //链接路径    //构造方法，初始化  public function __construct($_file,$_maxsize) {    $this->error = $_FILES[$_file]['error'];    $this->maxsize = $_maxsize / 1024;    $this->type = $_FILES[$_file]['type'];    $this->path = ROOT_PATH.'/'.UPLOGO;    $this->name = $_FILES[$_file]['name'];    $this->tmp = $_FILES[$_file]['tmp_name'];    $this->checkError();    $this->checkType();    $this->checkPath();    $this->moveUpload();  }          private function checkType() {    if (!in_array($this->type,$this->typeArr)) {      Tool::alertBack('警告：LOGO图片必须是PNG格式！');    }  }

public function delall(){    if(isset($_POST['send'])){      if(validate::isNullString($_POST['pid'])) tool::layer_alert('没有选择任何图片!','?a=pic',7);      $_fileDir=ROOT_PATH.'/uploads/';      foreach($_POST['pid'] as $_value){        $_filePath=$_fileDir.$_value;        if(!unlink($_filePath)){          tool::layer_alert('图片删除失败,请设权限为777!','?a=pic',7);        }else{          header('Location:?a=pic');        }      }