sensorsdata
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎core/sensorsdata.amd.min.js‎
Lines changed: 3 additions & 3 deletions b/‎core/sensorsdata.amd.min.js‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎core/sensorsdata.es6.min.js‎
Lines changed: 1 addition & 1 deletion b/‎core/sensorsdata.es6.min.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎core/sensorsdata.min.js‎
Lines changed: 3 additions & 3 deletions b/‎core/sensorsdata.min.js‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎heatmap.min.js‎
Lines changed: 1 addition & 1 deletion b/‎heatmap.min.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎product/heatmap.full.js‎
Lines changed: 1 addition & 1 deletion b/‎product/heatmap.full.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎product/sensorsdata.amd.full.js‎
Lines changed: 23 additions & 3 deletions b/‎product/sensorsdata.amd.full.js‎
Lines changed: 23 additions & 3 deletions
diff --git a/‎product/sensorsdata.es6.full.js‎
Lines changed: 23 additions & 3 deletions b/‎product/sensorsdata.es6.full.js‎
Lines changed: 23 additions & 3 deletions
diff --git a/‎product/sensorsdata.full.js‎
Lines changed: 23 additions & 3 deletions b/‎product/sensorsdata.full.js‎
Lines changed: 23 additions & 3 deletions
@@ -1,6 +1,9 @@
+## 1.16.9 (2021-04-10)
+1.  修复
+    - 修复可视化埋点 `XSS` 问题
 ## 1.16.8 (2021-04-07)
 1. 新增
-    - 新增 `Web_`支持渠道匹配和回传
+    - 支持渠道匹配和回传
 ## 1.16.7 (2021-03-19)
 1. 新增
     - 新增 `url` 上中文解码功能
 
@@ -1,6 +1,6 @@
 {
   "name": "sa-sdk-javascript",
-  "version": "1.16.8",
+  "version": "1.16.9",
   "description": "official sensorsdata javascript sdk",
   "main": "sensorsdata.min.js",
   "scripts": {
 
@@ -9440,7 +9440,7 @@
 
   window.sa_jssdk_heatmap_render = function(se, data, type, url) {
     sd = se;
-    sd.heatmap_version = '1.16.8';
+    sd.heatmap_version = '1.16.9';
     _ = sd._;
 
     _.bindReady = function(fn, win) {
 
@@ -2373,6 +2373,26 @@
         }
         return supported;
       };
+
+      _.secCheck = {
+        isHTTPURL: function(str) {
+          if (typeof str !== 'string') return false;
+          var _regex = /^https?:\/\/.+/;
+          if (_regex.test(str) === false) {
+            sd.log('Invalid URL');
+            return false;
+          };
+          return true;
+        },
+        removeScriptProtocol: function(str) {
+          if (typeof str !== 'string') return '';
+          var _regex = /^javascript:/i;
+          while (_regex.test(str)) {
+            str = str.replace(_regex, '');
+          }
+          return str;
+        }
+      };
     })();
 
 
@@ -2638,7 +2658,7 @@
 
     sd.setInitVar = function() {
       sd._t = sd._t || 1 * new Date();
-      sd.lib_version = '1.16.8';
+      sd.lib_version = '1.16.9';
       sd.is_first_visitor = false;
       sd.source_channel_standard = 'utm_source utm_medium utm_campaign utm_content utm_term';
     };
@@ -3473,7 +3493,7 @@
                 sessionStorage.setItem('sensors-visual-mode', 'true');
               }
               if (event.data.data.userURL && location.search.match(/sa-visual-mode=true/)) {
-                window.location.href = event.data.data.userURL;
+                window.location.href = _.secCheck.removeScriptProtocol(event.data.data.userURL);
               } else {
                 vtrackMode.loadVtrack();
               }
@@ -3498,7 +3518,7 @@
               source: 'sa-web-sdk',
               type: 'v-is-vtrack',
               data: {
-                sdkversion: '1.16.8'
+                sdkversion: '1.16.9'
               }
             }, '*');
           }
 
@@ -2362,6 +2362,26 @@ if (typeof JSON !== 'object') {
     }
     return supported;
   };
+
+  _.secCheck = {
+    isHTTPURL: function(str) {
+      if (typeof str !== 'string') return false;
+      var _regex = /^https?:\/\/.+/;
+      if (_regex.test(str) === false) {
+        sd.log('Invalid URL');
+        return false;
+      };
+      return true;
+    },
+    removeScriptProtocol: function(str) {
+      if (typeof str !== 'string') return '';
+      var _regex = /^javascript:/i;
+      while (_regex.test(str)) {
+        str = str.replace(_regex, '');
+      }
+      return str;
+    }
+  };
 })();
 
 
@@ -2627,7 +2647,7 @@ sd.setPreConfig = function(sa) {
 
 sd.setInitVar = function() {
   sd._t = sd._t || 1 * new Date();
-  sd.lib_version = '1.16.8';
+  sd.lib_version = '1.16.9';
   sd.is_first_visitor = false;
   sd.source_channel_standard = 'utm_source utm_medium utm_campaign utm_content utm_term';
 };
@@ -3462,7 +3482,7 @@ sd.detectMode = function() {
             sessionStorage.setItem('sensors-visual-mode', 'true');
           }
           if (event.data.data.userURL && location.search.match(/sa-visual-mode=true/)) {
-            window.location.href = event.data.data.userURL;
+            window.location.href = _.secCheck.removeScriptProtocol(event.data.data.userURL);
           } else {
             vtrackMode.loadVtrack();
           }
@@ -3487,7 +3507,7 @@ sd.detectMode = function() {
           source: 'sa-web-sdk',
           type: 'v-is-vtrack',
           data: {
-            sdkversion: '1.16.8'
+            sdkversion: '1.16.9'
           }
         }, '*');
       }
 
@@ -2374,6 +2374,26 @@
         }
         return supported;
       };
+
+      _.secCheck = {
+        isHTTPURL: function(str) {
+          if (typeof str !== 'string') return false;
+          var _regex = /^https?:\/\/.+/;
+          if (_regex.test(str) === false) {
+            sd.log('Invalid URL');
+            return false;
+          };
+          return true;
+        },
+        removeScriptProtocol: function(str) {
+          if (typeof str !== 'string') return '';
+          var _regex = /^javascript:/i;
+          while (_regex.test(str)) {
+            str = str.replace(_regex, '');
+          }
+          return str;
+        }
+      };
     })();
 
 
@@ -2639,7 +2659,7 @@
 
     sd.setInitVar = function() {
       sd._t = sd._t || 1 * new Date();
-      sd.lib_version = '1.16.8';
+      sd.lib_version = '1.16.9';
       sd.is_first_visitor = false;
       sd.source_channel_standard = 'utm_source utm_medium utm_campaign utm_content utm_term';
     };
@@ -3474,7 +3494,7 @@
                 sessionStorage.setItem('sensors-visual-mode', 'true');
               }
               if (event.data.data.userURL && location.search.match(/sa-visual-mode=true/)) {
-                window.location.href = event.data.data.userURL;
+                window.location.href = _.secCheck.removeScriptProtocol(event.data.data.userURL);
               } else {
                 vtrackMode.loadVtrack();
               }
@@ -3499,7 +3519,7 @@
               source: 'sa-web-sdk',
               type: 'v-is-vtrack',
               data: {
-                sdkversion: '1.16.8'
+                sdkversion: '1.16.9'
               }
             }, '*');
           }
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "sa-sdk-javascript",`
`3`		`- "version": "1.16.8",`
	`3`	`+ "version": "1.16.9",`
`4`	`4`	`"description": "official sensorsdata javascript sdk",`
`5`	`5`	`"main": "sensorsdata.min.js",`
`6`	`6`	`"scripts": {`