fix(漏洞): XSS：多处 v-html 渲染用户可控内容

2026-05-14 04:12:11 +08:00 · 2026-05-12 11:02:14 +08:00
parent bd404af7a6
commit 84f3794205
2 changed files with 6 additions and 0 deletions
--- a/core/core-frontend/package.json
+++ b/core/core-frontend/package.json
@@ -32,6 +32,7 @@
    "dayjs": "^1.11.9",
    "decimal.js": "^10.5.0",
    "dingtalk-jsapi": "^3.1.0",
+    "dompurify": "^3.4.2",
    "echarts": "^5.5.1",
    "element-plus-secondary": "^1.0.0",
    "element-resize-detector": "^1.2.4",
--- a/core/core-frontend/src/utils/utils.ts
+++ b/core/core-frontend/src/utils/utils.ts
@@ -3,6 +3,7 @@ import { useCache } from '@/hooks/web/useCache'
 import { loadScript } from '@/utils/RemoteJs'
 import { ElMessage } from 'element-plus-secondary'
 import * as dd from 'dingtalk-jsapi'
+import DOMPurify from 'dompurify'

 const { wsCache } = useCache()
 export function deepCopy(target) {
@@ -56,6 +57,10 @@ export function checkAddHttp(url) {
  }
 }

+export const sanitizeHtml = (html: string): string => {
+  return DOMPurify.sanitize(html)
+}
+
 export const setColorName = (obj, keyword: string, key?: string, colorKey?: string) => {
  key = key || 'name'
  colorKey = colorKey || 'colorName'