From 0de0ea71804205f3a022f6c6b3a4a4206c5fe4e6 Mon Sep 17 00:00:00 2001
From: dataeaseShu <tong.shu@fit2cloud.com>
Date: Tue, 12 May 2026 11:29:13 +0800
Subject: [PATCH] =?UTF-8?q?fix(=E6=BC=8F=E6=B4=9E):=20XSS=EF=BC=9A?=
 =?UTF-8?q?=E5=A4=9A=E5=A4=84=20`v-html`=20=E6=B8=B2=E6=9F=93=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=E5=8F=AF=E6=8E=A7=E5=86=85=E5=AE=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/core-frontend/src/utils/utils.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/core-frontend/src/utils/utils.ts b/core/core-frontend/src/utils/utils.ts
index 40b492223e..6bc3821594 100644
--- a/core/core-frontend/src/utils/utils.ts
+++ b/core/core-frontend/src/utils/utils.ts
@@ -77,7 +77,10 @@ export const setColorName = (obj, keyword: string, key?: string, colorKey?: stri
       keyword +
       '</span>' +
       name.substring(index + keyword.length, name.length)
-    obj[colorKey] = textCode
+    obj[colorKey] = DOMPurify.sanitize(textCode, {
+      ALLOWED_TAGS: ['span'],
+      ALLOWED_ATTR: ['class']
+    })
     return
   }
   obj[colorKey] = null