Merge pull request #5661 from dataease/pr@dev@fixdatasource

fix: 修复存储型XSS漏洞
2023-07-14 00:11:15 +08:00 · 2023-07-14 00:11:15 +08:00 · ffa336f3aa
commit ffa336f3aa
parent 2aac3cf4f1 56c1c7f559
10 changed files with 10 additions and 10 deletions
--- a/frontend/src/views/chart/view/TitleRemark.vue
+++ b/frontend/src/views/chart/view/TitleRemark.vue
@ -10,7 +10,7 @@
      <div
        class="remark-style"
        :style="{backgroundColor:remarkCfg.bgFill}"
-        v-html="remarkCfg.content"
+        v-html="$xss(remarkCfg.content)"
      />
      <i
        slot="reference"
--- a/frontend/src/views/dataset/data/components/LazyTree.vue
+++ b/frontend/src/views/dataset/data/components/LazyTree.vue
@ -34,7 +34,7 @@
          <span>
            <span
              style="margin-left: 6px"
-              v-html="data.name"
+              v-html="$xss(data.name)"
            />
          </span>
          <span
--- a/frontend/src/views/dataset/group/GroupMoveSelector.vue
+++ b/frontend/src/views/dataset/group/GroupMoveSelector.vue
@ -34,7 +34,7 @@
                text-overflow: ellipsis;
              "
              :title="data.name"
-              v-html="highlights(data.name)"
+              v-html="$xss(highlights(data.name))"
            />
          </span>
        </span>
--- a/frontend/src/views/login/index.vue
+++ b/frontend/src/views/login/index.vue
@ -202,7 +202,7 @@
    <div
      v-if="showFoot"
      class="dynamic-login-foot"
-      v-html="footContent"
+      v-html="$xss(footContent)"
    />
  </div>
 </template>
--- a/frontend/src/views/panel/export/PDFPreExport.vue
+++ b/frontend/src/views/panel/export/PDFPreExport.vue
@ -15,7 +15,7 @@
        <div
          class="export_body_inner_class"
          :style="templateHtmlStyle"
-          v-html="templateContentChange"
+          v-html="$xss(templateContentChange)"
        />
      </div>
    </el-row>
--- a/frontend/src/views/system/user/index.vue
+++ b/frontend/src/views/system/user/index.vue
@ -202,7 +202,7 @@
              <!-- // {{}}会将数据解释为普通文本，而非 HTML 代码。 -->
              <div
                slot="content"
-                v-html="filterRoles(scope.row.roles)"
+                v-html="$xss(filterRoles(scope.row.roles))"
              />
              <div class="de-one-line">{{ filterRoles(scope.row.roles) }}</div>
            </el-tooltip>
--- a/frontend/src/views/wizard/WizardCard.vue
+++ b/frontend/src/views/wizard/WizardCard.vue
@ -9,7 +9,7 @@
        {{ details.head }}
      </el-row>
      <el-row class="card_content">
-        <span v-html="details.content" />
+        <span v-html="$xss(details.content)" />
      </el-row>
      <el-row class="card_bottom">
        {{ $t('wizard.click_show') }}
--- a/frontend/src/views/wizard/WizardCardEnterprise.vue
+++ b/frontend/src/views/wizard/WizardCardEnterprise.vue
@ -9,7 +9,7 @@
        {{ details.head }}
      </el-row>
      <el-row class="card_content">
-        <span v-html="details.content" />
+        <span v-html="$xss(details.content)" />
      </el-row>
      <el-row class="card_bottom">
        {{ $t('wizard.apply') }}
--- a/frontend/src/views/wizard/details/CardDetail.vue
+++ b/frontend/src/views/wizard/details/CardDetail.vue
@ -18,7 +18,7 @@
        <span>{{ details.head }}</span>
      </el-row>
      <el-row class="content">
-        <span v-html="details.content" />
+        <span v-html="$xss(details.content)" />
      </el-row>
      <el-row class="bottom">
        <span class="span-box">{{ details.bottom }}</span>
--- a/frontend/src/views/wizard/details/LatestDevelopments.vue
+++ b/frontend/src/views/wizard/details/LatestDevelopments.vue
@ -18,7 +18,7 @@
        <span>{{ details.head }}</span>
      </el-row>
      <el-row class="content">
-        <span v-html="details.content" />
+        <span v-html="$xss(details.content)" />
      </el-row>
      <el-row class="bottom">
        <span class="span-box">{{ details.bottom }}</span>