fix: 修复 xss 攻击漏洞 TencentBlueKing#796

yuri0528 · Nov 17, 2022 · 4d55a81 · 4d55a81
1 parent fca5f4a
commit 4d55a81
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 5 deletions.
diff --git a/src/pages/package.json b/src/pages/package.json
@@ -69,7 +69,8 @@
         "vue-i18n": "8.9.0",
         "vue-image-crop-upload": "2.5.0",
         "vue-router": "3.0.6",
-        "vuex": "3.1.1"
+        "vuex": "3.1.1",
+        "xss": "1.0.13"
     },
     "devDependencies": {
         "@babel/core": "7.11.0",

diff --git a/src/pages/src/main.js b/src/pages/src/main.js
@@ -25,6 +25,7 @@ import methods from '@/plugins/methods';
 import bus from '@/common/bus';
 import cursor from '@/directives/cursor';
 import { Base64 } from 'js-base64';
+import xss from 'xss';
 
 Vue.component(VueCropper);
 Vue.use(vClickOutside);
@@ -34,6 +35,16 @@ Vue.directive('cursor', cursor);
 Vue.config.devtools = true;
 Vue.prototype.$bus = new Vue();
 Vue.use(Base64);
+Vue.prototype.$xss = (html) => {
+  const attrs = ['class', 'title', 'target', 'style'];
+  return xss(html || '', {
+    onTagAttr: (tag, name, value) => {
+      if (attrs.includes(name)) {
+        return `${name}=${value}`;
+      }
+    },
+  });
+};
 
 injectCSRFTokenToHeaders();
 window.bus = bus;

diff --git a/src/pages/src/views/organization/details/UserMaterial.vue b/src/pages/src/views/organization/details/UserMaterial.vue
@@ -88,7 +88,7 @@
               <p :class="['text', { 'phone': phoneNumber === $t('点击查看') }]">{{phoneNumber}}</p>
             </div>
             <div class="desc" v-else>
-              <p class="text">{{fieldInfo.value || '--'}}</p>
+              <p class="text">{{$xss(fieldInfo.value) || '--'}}</p>
             </div>
           </div>
         </li>

diff --git a/src/pages/src/views/organization/table/UserTable.vue b/src/pages/src/views/organization/table/UserTable.vue
@@ -74,7 +74,7 @@
               </div>
               <!-- 其他字段 -->
               <div class="list-wrapper" v-else>
-                <span v-bk-overflow-tips>{{getValueByType(key, item[key]) || '--'}}</span>
+                <span v-bk-overflow-tips>{{$xss(getValueByType(key, item[key])) || '--'}}</span>
               </div>
             </td>
           </tr>

diff --git a/src/pages/src/views/organization/tree/TreeSearch.vue b/src/pages/src/views/organization/tree/TreeSearch.vue
@@ -110,7 +110,7 @@
                     @click="handleSelect(item)">
                     <div class="match-item-left">
                       <p class="item-title">
-                        {{ item.username + '(' + item.display_name + ') ' }}
+                        {{ item.username + '(' + $xss(item.display_name) + ') ' }}
                         <span class="category-label">{{item.category_name}}</span>
                       </p>
                       <p class="item-detail">{{ getUserDetail(item) }}</p>

diff --git a/src/pages/yarn.lock b/src/pages/yarn.lock
@@ -3495,7 +3495,7 @@ commander@2.17.x:
   resolved "https://mirrors.tencent.com/npm/commander/-/commander-2.17.1.tgz#bd77ab7de6de94205ceacc72f1716d29f20a77bf"
   integrity sha512-wPMUt6FnH2yzG95SA6mzjQOEKUU3aLaDEmzs1ti+1E9h+CsrZghRlqEM/EJ4KscsQVG8uNN4uVreUeT8+drlgg==
 
-commander@^2.18.0, commander@^2.19.0, commander@^2.20.0, commander@^2.9.0:
+commander@^2.18.0, commander@^2.19.0, commander@^2.20.0, commander@^2.20.3, commander@^2.9.0:
   version "2.20.3"
   resolved "https://mirrors.tencent.com/npm/commander/-/commander-2.20.3.tgz#fd485e84c03eb4881c20722ba48035e8531aeb33"
   integrity sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==
@@ -3994,6 +3994,11 @@ cssesc@^3.0.0:
   resolved "https://mirrors.tencent.com/npm/cssesc/-/cssesc-3.0.0.tgz#37741919903b868565e1c09ea747445cd18983ee"
   integrity sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==
 
+cssfilter@0.0.10:
+  version "0.0.10"
+  resolved "https://mirrors.tencent.com/npm/cssfilter/-/cssfilter-0.0.10.tgz#c6d2672632a2e5c83e013e6864a42ce8defd20ae"
+  integrity sha1-xtJnJjKi5cg+AT5oZKQs6N79IK4=
+
 cssnano-preset-default@^4.0.8:
   version "4.0.8"
   resolved "https://mirrors.tencent.com/npm/cssnano-preset-default/-/cssnano-preset-default-4.0.8.tgz#920622b1fc1e95a34e8838203f1397a504f2d3ff"
@@ -13513,6 +13518,14 @@ xdg-basedir@^3.0.0:
   resolved "https://mirrors.tencent.com/npm/xml-name-validator/-/xml-name-validator-2.0.1.tgz#4d8b8f1eccd3419aa362061becef515e1e559635"
   integrity sha1-TYuPHszTQZqjYgYb7O9RXh5VljU=
 
+xss@1.0.13:
+  version "1.0.13"
+  resolved "https://mirrors.tencent.com/npm/xss/-/xss-1.0.13.tgz#6e48f616128b39f366dfadc57411e1eb5b341c6c"
+  integrity sha512-clu7dxTm1e8Mo5fz3n/oW3UCXBfV89xZ72jM8yzo1vR/pIS0w3sgB3XV2H8Vm6zfGnHL0FzvLJPJEBhd86/z4Q==
+  dependencies:
+    commander "^2.20.3"
+    cssfilter "0.0.10"
+
 xtend@^4.0.0, xtend@~4.0.1:
   version "4.0.2"
   resolved "https://mirrors.tencent.com/npm/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"