feat(health): 为所有 DTO 添加 sanitize 防止存储型 XSS

覆盖 patient/health_data/appointment/follow_up/consultation/doctor 6 个 DTO 模块共 14 个请求结构体，在 handler 层统一调用 sanitize。
2026-04-25 00:04:25 +08:00
parent a63043f447
commit 1d1f01df81
12 changed files with 182 additions and 9 deletions
--- a/crates/erp-health/src/handler/appointment_handler.rs
+++ b/crates/erp-health/src/handler/appointment_handler.rs
@@ -81,6 +81,8 @@ where
    S: Clone + Send + Sync + 'static,
 {
    require_permission(&ctx, "health.appointment.manage")?;
+    let mut req = req;
+    req.sanitize();
    let result = appointment_service::create_appointment(
        &state, ctx.tenant_id, Some(ctx.user_id), req,
    )
@@ -113,10 +115,11 @@ where
    S: Clone + Send + Sync + 'static,
 {
    require_permission(&ctx, "health.appointment.manage")?;
-    let update_req = UpdateAppointmentStatusReq {
+    let mut update_req = UpdateAppointmentStatusReq {
        status: req.status,
        cancel_reason: req.cancel_reason,
    };
+    update_req.sanitize();
    let result = appointment_service::update_appointment_status(
        &state, ctx.tenant_id, id, Some(ctx.user_id), update_req, req.version,
    )