Fix HTML injection risks in FilesPage and UploadPage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 13:48:23 +08:00
parent ca75a06612
commit ac4405068f
2 changed files with 4 additions and 3 deletions
--- a/src/views/Upload/UploadPage.vue
+++ b/src/views/Upload/UploadPage.vue
@@ -330,7 +330,7 @@ function getTextWidth(text, e) {
  const processedText = text.replace(/ /g, "\u00a0");
  const hiddenSpan = document.createElement("span");

-  hiddenSpan.innerHTML = processedText;
+  hiddenSpan.textContent = processedText;
  hiddenSpan.style.font = window.getComputedStyle(e).font;
  hiddenSpan.style.visibility = "hidden";
  document.body.appendChild(hiddenSpan);