imacat/lucia-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix HTML injection risks in FilesPage and UploadPage

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
依瑪貓
2026-03-09 13:48:23 +08:00
parent ca75a06612
commit ac4405068f
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/views/Files/FilesPage.vue
View File

@@ -486,6 +486,7 @@ import {
deleteFileModal, deleteFileModal,
reallyDeleteInformation, reallyDeleteInformation,
} from "@/module/alertModal.js"; } from "@/module/alertModal.js";
import { escapeHtml } from "@/utils/escapeHtml.js";
const router = useRouter(); const router = useRouter();
@@ -761,7 +762,7 @@ async function deleteFile(type, id, name, source) {
default: default:
break; break;
} }
const content = `<li>[${i.type}] ${i.name}</li>`; const content = `<li>[${escapeHtml(i.type)}] ${escapeHtml(i.name)}</li>`;
srt += content; srt += content;
}); });
} }
@@ -790,7 +791,7 @@ function showReallyDelete() {
break; break;
} }
const content = `<li>[${file.type}] ${file.name}</li>`; const content = `<li>[${escapeHtml(file.type)}] ${escapeHtml(file.name)}</li>`;
srt += content; srt += content;
}); });
} }

2
src/views/Upload/UploadPage.vue
View File

@@ -330,7 +330,7 @@ function getTextWidth(text, e) {
const processedText = text.replace(/ /g, "\u00a0"); const processedText = text.replace(/ /g, "\u00a0");
const hiddenSpan = document.createElement("span"); const hiddenSpan = document.createElement("span");
hiddenSpan.innerHTML = processedText; hiddenSpan.textContent = processedText;
hiddenSpan.style.font = window.getComputedStyle(e).font; hiddenSpan.style.font = window.getComputedStyle(e).font;
hiddenSpan.style.visibility = "hidden"; hiddenSpan.style.visibility = "hidden";
document.body.appendChild(hiddenSpan); document.body.appendChild(hiddenSpan);