Merge pull request #3320 from jumpserver/pr@dev@fix_msg_subscribe_for_xss

fix: 修复系统设置 > 消息订阅 > 修改订阅人因为用户名导致的 xss
2026-01-13 19:35:24 +00:00 · 2023-08-08 16:17:49 +08:00
parent 86b37eeeba 45c860797a
commit a6b0da60a3
1 changed files with 5 additions and 4 deletions
--- a/src/views/settings/Message/SelectDialog.vue
+++ b/src/views/settings/Message/SelectDialog.vue
@@ -2,13 +2,13 @@
  <Dialog
    ref="myDialog"
    :destroy-on-close="true"
-    width="790px"
    height="720px"
    v-bind="$attrs"
+    width="790px"
    @confirm="submit"
    v-on="$listeners"
  >
-    <krryPaging ref="pageTransfer" v-bind="pagingTransfer" class="transfer" />
+    <krryPaging ref="pageTransfer" class="transfer" v-bind="pagingTransfer" />
  </Dialog>
 </template>

@@ -16,6 +16,7 @@
 import Dialog from '@/components/Dialog'
 import { krryPaging } from 'krry-transfer'
 import { getUserList } from '@/api/users'
+
 export default {
  name: 'ListSelect',
  components: {
@@ -47,7 +48,7 @@ export default {
          }
          const data = await getUserList(params)
          const results = data['results'].map(item => {
-            return { id: item.id, label: `${item.name}(${item.username})` }
+            return { id: item.id, label: _.escape(`${item.name}(${item.username})`) }
          })
          return results
        },
@@ -62,7 +63,7 @@ export default {
          }
          const data = await getUserList(params)
          const results = data['results'].map(item => {
-            return { id: item.id, label: `${item.name}(${item.username})` }
+            return { id: item.id, label: _.escape(`${item.name}(${item.username})`) }
          })
          return results
        },