fix(web): ArticlePhonePreview XSS 修复 — DOMPurify 净化 dangerouslySetInnerHTML

- 安装 dompurify + @types/dompurify - ArticlePhonePreview 使用 DOMPurify.sanitize() 防止 HTML 注入
2026-05-21 22:34:58 +08:00
parent fd994edf3e
commit 21481dbd88
3 changed files with 31 additions and 1 deletions
--- a/apps/web/src/pages/health/articleEditor/ArticlePhonePreview.tsx
+++ b/apps/web/src/pages/health/articleEditor/ArticlePhonePreview.tsx
@@ -1,4 +1,5 @@
 import { useMemo } from 'react';
+import DOMPurify from 'dompurify';

 interface ArticlePhonePreviewProps {
  title: string;
@@ -240,7 +241,7 @@ export default function ArticlePhonePreview({

          <div className="mp-content">
            {content && content !== '<p><br></p>' ? (
-              <div dangerouslySetInnerHTML={{ __html: content }} />
+              <div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }} />
            ) : (
              <div className="mp-empty">
                在左侧编辑器中输入内容