feat(health): 为所有 DTO 添加 sanitize 防止存储型 XSS

覆盖 patient/health_data/appointment/follow_up/consultation/doctor 6 个 DTO 模块共 14 个请求结构体，在 handler 层统一调用 sanitize。
2026-04-25 00:04:25 +08:00
parent a63043f447
commit 1d1f01df81
12 changed files with 182 additions and 9 deletions
--- a/crates/erp-health/src/handler/follow_up_handler.rs
+++ b/crates/erp-health/src/handler/follow_up_handler.rs
@@ -85,6 +85,8 @@ where
    S: Clone + Send + Sync + 'static,
 {
    require_permission(&ctx, "health.follow-up.manage")?;
+    let mut req = req;
+    req.sanitize();
    let result = follow_up_service::create_task(
        &state, ctx.tenant_id, Some(ctx.user_id), req,
    )
@@ -103,8 +105,10 @@ where
    S: Clone + Send + Sync + 'static,
 {
    require_permission(&ctx, "health.follow-up.manage")?;
+    let mut data = req.data;
+    data.sanitize();
    let result = follow_up_service::update_task(
-        &state, ctx.tenant_id, id, Some(ctx.user_id), req.data, req.version,
+        &state, ctx.tenant_id, id, Some(ctx.user_id), data, req.version,
    )
    .await?;
    Ok(Json(ApiResponse::ok(result)))
@@ -139,6 +143,8 @@ where
    if req.task_id != task_id {
        return Err(AppError::Validation("路径中的 task_id 与请求体不一致".to_string()));
    }
+    let mut req = req;
+    req.sanitize();
    let result = follow_up_service::create_record(
        &state, ctx.tenant_id, Some(ctx.user_id), req,
    )