From adab5f1e8954ff91830a3b2f052a42a139d978e1 Mon Sep 17 00:00:00 2001
From: wangjiahao <1522128093@qq.com>
Date: Thu, 11 Jun 2026 11:27:48 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dv-html=20=E5=BC=95?=
 =?UTF-8?q?=E8=B5=B7=E7=9A=84xss=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/custom-component/scroll-text/Component.vue         | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/core/core-frontend/src/custom-component/scroll-text/Component.vue b/core/core-frontend/src/custom-component/scroll-text/Component.vue
index 430e49c1a5..95c31e4eee 100644
--- a/core/core-frontend/src/custom-component/scroll-text/Component.vue
+++ b/core/core-frontend/src/custom-component/scroll-text/Component.vue
@@ -5,6 +5,7 @@ import { computed, nextTick, onBeforeUnmount, onMounted, ref } from 'vue'
 import { toRefs } from 'vue'
 import { dvMainStoreWithOut } from '@/store/modules/data-visualization/dvMain'
 import { storeToRefs } from 'pinia'
+import { sanitizeHtml } from '@/utils/utils'
 
 const canEdit = ref(false)
 const ctrlKey = ref(17)
@@ -160,6 +161,8 @@ const init = () => {
     }
   }, 1000)
 }
+const sanitizedPropValue = computed(() => sanitizeHtml(element.value['propValue'] || ''))
+
 onMounted(() => {
   init()
 })
@@ -184,11 +187,11 @@ onMounted(() => {
       @mousedown="handleMousedown"
       @blur="handleBlur"
       @input="handleInput"
-      v-html="element['propValue']"
+      v-html="sanitizedPropValue"
     ></div>
   </div>
   <div v-else class="v-text preview" ref="textOut" :style="varStyle">
-    <div class="marquee-txt" ref="text" v-html="element['propValue']"></div>
+    <div class="marquee-txt" ref="text" v-html="sanitizedPropValue"></div>
   </div>
 </template>