Fix HTML injection risks in FilesPage and UploadPage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 13:48:23 +08:00
parent ca75a06612
commit ac4405068f
2 changed files with 4 additions and 3 deletions
--- a/src/views/Files/FilesPage.vue
+++ b/src/views/Files/FilesPage.vue
@@ -486,6 +486,7 @@ import {
  deleteFileModal,
  reallyDeleteInformation,
 } from "@/module/alertModal.js";
+import { escapeHtml } from "@/utils/escapeHtml.js";

 const router = useRouter();

@@ -761,7 +762,7 @@ async function deleteFile(type, id, name, source) {
        default:
          break;
      }
-      const content = `<li>[${i.type}] ${i.name}</li>`;
+      const content = `<li>[${escapeHtml(i.type)}] ${escapeHtml(i.name)}</li>`;
      srt += content;
    });
  }
@@ -790,7 +791,7 @@ function showReallyDelete() {
          break;
      }

-      const content = `<li>[${file.type}] ${file.name}</li>`;
+      const content = `<li>[${escapeHtml(file.type)}] ${escapeHtml(file.name)}</li>`;
      srt += content;
    });
  }