From ee6697a5b9c4acea1ff89f99664d531971482a8c Mon Sep 17 00:00:00 2001
From: wangjiahao <1522128093@qq.com>
Date: Tue, 21 Feb 2023 13:57:53 +0800
Subject: [PATCH] =?UTF-8?q?refactor:=20=E4=BB=AA=E8=A1=A8=E6=9D=BF?=
=?UTF-8?q?=E9=98=B2=E8=8C=83XSS=E6=94=BB=E5=87=BB=20#4585?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
frontend/package.json | 3 ++-
.../src/components/canvas/customComponent/DeRichText.vue | 3 ++-
.../components/canvas/customComponent/DeRichTextView.vue | 3 ++-
frontend/src/components/canvas/customComponent/VText.vue | 8 ++++----
frontend/src/main.js | 6 ++++++
5 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/frontend/package.json b/frontend/package.json
index 3816f0a7ab..1a2b29da57 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -88,7 +88,8 @@
"vuedraggable": "^2.24.3",
"vuex": "3.1.0",
"webpack": "^4.46.0",
- "xlsx": "^0.17.0"
+ "xlsx": "^0.17.0",
+ "xss": "^1.0.14"
},
"devDependencies": {
"@babel/core": "^7.4.0-0",
diff --git a/frontend/src/components/canvas/customComponent/DeRichText.vue b/frontend/src/components/canvas/customComponent/DeRichText.vue
index 4e5a76ab38..195a4bc263 100644
--- a/frontend/src/components/canvas/customComponent/DeRichText.vue
+++ b/frontend/src/components/canvas/customComponent/DeRichText.vue
@@ -37,6 +37,7 @@ import 'tinymce/plugins/nonbreaking'
import 'tinymce/plugins/pagebreak'
import { mapState } from 'vuex'
import Vue from 'vue'
+import xssCheck from 'xss'
export default {
name: 'DeRichText',
@@ -77,7 +78,7 @@ export default {
canEdit: false,
// 初始化配置
tinymceId: 'tinymce-' + this.element.id,
- myValue: this.propValue,
+ myValue: xssCheck(this.propValue),
init: {
selector: '#tinymce-' + this.element.id,
toolbar_items_size: 'small',
diff --git a/frontend/src/components/canvas/customComponent/DeRichTextView.vue b/frontend/src/components/canvas/customComponent/DeRichTextView.vue
index 7b5f717876..fe66736ee2 100644
--- a/frontend/src/components/canvas/customComponent/DeRichTextView.vue
+++ b/frontend/src/components/canvas/customComponent/DeRichTextView.vue
@@ -38,6 +38,7 @@ import 'tinymce/plugins/pagebreak'
import { mapState } from 'vuex'
import bus from '@/utils/bus'
import { uuid } from 'vue-uuid'
+import xssCheck from 'xss'
export default {
name: 'DeRichTextView',
@@ -152,7 +153,7 @@ export default {
viewInit() {
bus.$on('fieldSelect-' + this.element.propValue.viewId, this.fieldSelect)
tinymce.init({})
- this.myValue = this.assignment(this.element.propValue.textValue)
+ this.myValue = xssCheck(this.assignment(this.element.propValue.textValue))
bus.$on('initCurFields-' + this.element.id, this.initCurFieldsChange)
this.$nextTick(() => {
this.initReady = true
diff --git a/frontend/src/components/canvas/customComponent/VText.vue b/frontend/src/components/canvas/customComponent/VText.vue
index f23c2ca559..8dbd863c42 100644
--- a/frontend/src/components/canvas/customComponent/VText.vue
+++ b/frontend/src/components/canvas/customComponent/VText.vue
@@ -18,7 +18,7 @@
@mousedown="handleMousedown"
@blur="handleBlur"
@input="handleInput"
- v-html="element.propValue"
+ v-html="$xss(element.propValue)"
/>
@@ -80,7 +80,7 @@ export default {
},
textInfo() {
if (this.element && this.element.hyperlinks && this.element.hyperlinks.enable) {
- return "" + this.element.propValue + ''
+ return '' + this.element.propValue + ''
} else {
return this.element.propValue
}
diff --git a/frontend/src/main.js b/frontend/src/main.js
index 459f66280a..673cf928ec 100644
--- a/frontend/src/main.js
+++ b/frontend/src/main.js
@@ -43,6 +43,12 @@ import 'video.js/dist/video-js.css'
// 控制标签宽高成比例的指令
import proportion from 'vue-proportion-directive'
+import xss from 'xss'
+// 定义全局XSS解决方法
+Object.defineProperty(Vue.prototype, '$xss', {
+ value: xss
+})
+
Vue.config.productionTip = false
Vue.use(VueClipboard)
Vue.use(widgets)