Skip to content

Commit 409f222

Browse files
zhengkunwang223zhengkunwang223
committed
fix: update MdEditor component to prevent potential XSS attacks
1 parent e3dea80 commit 409f222

File tree

4 files changed

+30
-16
lines changed

4 files changed

+30
-16
lines changed

frontend/package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
"axios": "^1.7.2",
3737
"codemirror": "^6.0.2",
3838
"crypto-js": "^4.2.0",
39+
"dompurify": "^3.3.1",
3940
"echarts": "^5.5.0",
4041
"element-plus": "2.11.9",
4142
"fit2cloud-ui-plus": "^1.2.3",

frontend/src/components/mkdown-editor/index.vue

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
<template>
2+
<MdEditor previewOnly v-model="sanitizedReadMe" :theme="isDarkTheme ? 'dark' : 'light'" />
3+
</template>
4+
5+
<script lang="ts" setup>
6+
import MdEditor from 'md-editor-v3';
7+
import 'md-editor-v3/lib/style.css';
8+
import DOMPurify from 'dompurify';
9+
10+
import { useGlobalStore } from '@/composables/useGlobalStore';
11+
const { isDarkTheme } = useGlobalStore();
12+
13+
const props = defineProps({
14+
content: {
15+
type: String,
16+
default: '',
17+
},
18+
});
19+
20+
const sanitizedReadMe = computed(() => {
21+
return DOMPurify.sanitize(props.content);
22+
});
23+
</script>

frontend/src/components/system-upgrade/releases/index.vue

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@
3232
<span class="icon-span">{{ item.fixCount }}</span>
3333
</template>
3434
<div class="panel-MdEditor">
35-
<MdEditor v-model="item.content" previewOnly :theme="isDarkTheme ? 'dark' : 'light'" />
35+
<MarkDownEditor :content="item.content" />
3636
</div>
3737
</el-collapse-item>
3838
</div>
@@ -57,12 +57,11 @@
5757
</template>
5858

5959
<script setup lang="ts">
60+
import MarkDownEditor from '@/components/mkdown-editor/index.vue';
61+
6062
import { getSettingInfo, listReleases, updateSetting } from '@/api/modules/setting';
61-
import MdEditor from 'md-editor-v3';
62-
import 'md-editor-v3/lib/style.css';
6363
import { ref } from 'vue';
6464
import { GlobalStore } from '@/store';
65-
import { storeToRefs } from 'pinia';
6665
import { FormInstance } from 'element-plus';
6766
import { MsgSuccess } from '@/utils/message';
6867
import i18n from '@/lang';
@@ -73,8 +72,6 @@ const mobile = computed(() => {
7372
return globalStore.isMobile();
7473
});
7574
76-
const { isDarkTheme } = storeToRefs(globalStore);
77-
7875
const drawerVisible = ref(false);
7976
const currentVersion = ref(0);
8077
const notes = ref([]);

frontend/src/components/system-upgrade/upgrade/index.vue

Lines changed: 3 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,12 +15,7 @@
1515
{{ upgradeInfo.testVersion }}
1616
</el-radio>
1717
</el-radio-group>
18-
<MdEditor
19-
v-loading="loading"
20-
v-model="upgradeInfo.releaseNote"
21-
previewOnly
22-
:theme="isDarkTheme ? 'dark' : 'light'"
23-
/>
18+
<MarkDownEditor v-loading="loading" :content="upgradeInfo.releaseNote" />
2419
</div>
2520
<template #footer>
2621
<span class="dialog-footer">
@@ -32,18 +27,16 @@
3227
</template>
3328

3429
<script setup lang="ts">
30+
import MarkDownEditor from '@/components/mkdown-editor/index.vue';
31+
3532
import { loadReleaseNotes, upgrade } from '@/api/modules/setting';
36-
import MdEditor from 'md-editor-v3';
3733
import i18n from '@/lang';
38-
import 'md-editor-v3/lib/style.css';
3934
import { MsgSuccess } from '@/utils/message';
4035
import { ref } from 'vue';
4136
import { GlobalStore } from '@/store';
4237
import { ElMessageBox } from 'element-plus';
43-
import { storeToRefs } from 'pinia';
4438
4539
const globalStore = GlobalStore();
46-
const { isDarkTheme } = storeToRefs(globalStore);
4740
4841
const drawerVisible = ref(false);
4942
const upgradeInfo = ref();

0 commit comments

Comments
 (0)