feat: 修复xss漏洞

2024-12-01 19:27:47 +08:00 · 2024-10-16 16:06:00 +08:00 · 2024-10-16 16:06:00 +08:00 · ee9c9a4308
commit ee9c9a4308
parent eda6fba09c
5 changed files with 19 additions and 7 deletions
--- a/packages/fes-plugin-layout/package.json
+++ b/packages/fes-plugin-layout/package.json
@ -30,6 +30,7 @@
    "peerDependencies": {
        "@fesjs/fes": "^3.1.13",
        "@fesjs/fes-design": ">=0.7.0",
+        "dompurify": "^3.1.7",
        "vue": "^3.2.47",
        "vue-router": "^4.0.1"
    },
--- a/packages/fes-plugin-layout/src/runtime/helpers/svg.js
+++ b/packages/fes-plugin-layout/src/runtime/helpers/svg.js
@ -1,3 +1,5 @@
+import DOMPurify from 'dompurify';
+
 const isStr = function (str) {
    return typeof str === 'string';
 };
@ -26,7 +28,7 @@ export function isValid(elm) {

 export function validateContent(svgContent) {
    const div = document.createElement('div');
-    div.innerHTML = svgContent;
+    div.innerHTML = DOMPurify.sanitize(svgContent);

    // setup this way to ensure it works on our buddy IE
    for (let i = div.childNodes.length - 1; i >= 0; i--) {
--- a/packages/fes-plugin-layout/src/runtime/views/MenuIcon.vue
+++ b/packages/fes-plugin-layout/src/runtime/views/MenuIcon.vue
@ -1,11 +1,11 @@
 <script lang="jsx">
-import { ref, onBeforeMount, isVNode } from 'vue';
-// eslint-disable-next-line import/extensions
+import { isVNode, onBeforeMount, ref } from 'vue';
+
 import Icons from '../icons';
 import { validateContent } from '../helpers/svg';

 const urlReg = /^((https?|ftp|file):\/\/)?([\da-z.-]+)\.([a-z.]{2,6})([/\w .-]*)*\/?$/;
-const isUrlResource = (name) => urlReg.test(name) || name.includes('.svg');
+const isUrlResource = name => urlReg.test(name) || name.includes('.svg');

 export default {
    props: {
@ -25,7 +25,8 @@ export default {
                            });
                        }
                    });
-                } else {
+                }
+                else {
                    AIconComponent.value = Icons[props.icon];
                }
            }
@ -39,13 +40,14 @@ export default {
                return <AIconComponent.value />;
            }
            if (AText.value) {
-                return <span class={'fes-layout-icon'} innerHTML={AText.value}></span>;
+                return <span class="fes-layout-icon" innerHTML={AText.value}></span>;
            }
            return null;
        };
    },
 };
 </script>
+
 <style>
 .fes-layout-icon {
    display: inline-block;
--- a/packages/fes-template/src/app.jsx
+++ b/packages/fes-template/src/app.jsx
@ -9,7 +9,7 @@ export const beforeRender = {
        const { setRole, getRole } = accessApi;
        return new Promise((resolve) => {
            setTimeout(() => {
-                setRole('menuTest');
+                setRole('admin');
                resolve({
                    userName: '李雷',
                });
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -441,6 +441,9 @@ importers:
      '@vueuse/core':
        specifier: ^10.7.0
        version: 10.7.0(vue@3.3.4)
+      dompurify:
+        specifier: ^3.1.7
+        version: 3.1.7
      vue:
        specifier: ^3.2.47
        version: 3.3.4
@ -6980,6 +6983,10 @@ packages:
      domelementtype: 2.3.0
    dev: false

+  /dompurify@3.1.7:
+    resolution: {integrity: sha512-VaTstWtsneJY8xzy7DekmYWEOZcmzIe3Qb3zPd4STve1OBTa+e+WmS1ITQec1fZYXI3HCsOZZiSMpG6oxoWMWQ==}
+    dev: false
+
  /domutils@2.8.0:
    resolution: {integrity: sha512-w96Cjofp72M5IIhpjgobBimYEfoPjx1Vx0BSX9P30WBdZW2WIKU0T1Bd0kz2eNZ9ikjKgHbEyKx8BB6H1L3h3A==}
    dependencies: