fix(漏洞): XSS：多处 v-html 渲染用户可控内容

2026-06-17 21:08:31 +08:00 · 2026-05-12 11:29:13 +08:00
parent 7ac9b5d516
commit 07209cbe45
1 changed files with 4 additions and 1 deletions
--- a/core/core-frontend/src/utils/utils.ts
+++ b/core/core-frontend/src/utils/utils.ts
@@ -76,7 +76,10 @@ export const setColorName = (obj, keyword: string, key?: string, colorKey?: stri
      keyword +
      '</span>' +
      name.substring(index + keyword.length, name.length)
-    obj[colorKey] = textCode
+    obj[colorKey] = DOMPurify.sanitize(textCode, {
+      ALLOWED_TAGS: ['span'],
+      ALLOWED_ATTR: ['class']
+    })
    return
  }
  obj[colorKey] = null