fix: Markdown editor xss attack (#4578)

2025-12-30 17:52:48 +00:00 · 2025-12-29 16:31:39 +08:00 · 2025-12-29 16:31:39 +08:00 · 7230daa5ec
parent 159997c529
commit 7230daa5ec
1 changed files with 46 additions and 1 deletions
--- a/ui/src/chat.ts
+++ b/ui/src/chat.ts
@ -12,7 +12,8 @@ import i18n from '@/locales'
 import Components from '@/components'
 import directives from '@/directives'

-import { config } from 'md-editor-v3'
+import { getDefaultWhiteList } from 'xss'
+import { config, XSSPlugin } from 'md-editor-v3'
 import screenfull from 'screenfull'

 import katex from 'katex'
@ -43,6 +44,50 @@ config({
      instance: mermaid,
    },
  },
+  markdownItPlugins(plugins) {
+    return [
+      ...plugins,
+      {
+        type: 'xss',
+        plugin: XSSPlugin,
+        options: {
+          xss() {
+            return {
+              whiteList: Object.assign({}, getDefaultWhiteList(), {
+                video: ['src', 'controls', 'width', 'height', 'preload', 'playsinline'],
+                source: ['src', 'type'],
+                input: ['class', 'disabled', 'type', 'checked'],
+                iframe: [
+                  'class',
+                  'width',
+                  'height',
+                  'src',
+                  'title',
+                  'border',
+                  'frameborder',
+                  'framespacing',
+                  'allow',
+                  'allowfullscreen',
+                ],
+              }),
+              onTagAttr: (tag: string, name: any, value: any) => {
+                if (tag === 'video') {
+                  // 禁止自动播放
+                  if (name === 'autoplay') return ''
+
+                  // 限制 preload
+                  if (name === 'preload' && !['none', 'metadata'].includes(value)) {
+                    return 'preload="metadata"'
+                  }
+                }
+                return undefined
+              },
+            }
+          },
+        },
+      },
+    ]
+  },
 })
 const app = createApp(App)
 app.use(createPinia())