From a5b517f67a5fa169375feef05e326da4577465bc Mon Sep 17 00:00:00 2001
From: v_xugzhou <941071842@qq.com>
Date: Wed, 9 Oct 2024 14:27:20 +0800
Subject: [PATCH 1/3] =?UTF-8?q?fix:=20=E4=BD=BF=E7=94=A8v-html=E6=A8=A1?=
 =?UTF-8?q?=E6=9D=BF=E8=AF=AD=E6=B3=95=E6=97=B6=E6=B7=BB=E5=8A=A0=E5=AE=89?=
 =?UTF-8?q?=E5=85=A8=E9=A2=84=E9=98=B2=20--bug=3D119961524=20#=20Reviewed,?=
 =?UTF-8?q?=20transaction=20id:=2020003?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 frontend/desktop/package.json                            | 3 ++-
 .../src/components/common/modal/ErrorCodeModal.vue       | 2 +-
 frontend/desktop/src/main.js                             | 7 +++++++
 .../src/pages/task/PeriodicList/BootRecordDialog.vue     | 9 ++++++++-
 .../desktop/src/pages/task/TaskExecute/ExecuteInfo.vue   | 9 ++++++++-
 .../pages/task/TaskExecute/ExecuteInfo/OutputParams.vue  | 6 +++---
 6 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/frontend/desktop/package.json b/frontend/desktop/package.json
index f94df5e7ec..b5f9d7c997 100644
--- a/frontend/desktop/package.json
+++ b/frontend/desktop/package.json
@@ -43,7 +43,8 @@
     "vue-router": "^3.0.1",
     "vuedraggable": "^2.16.0",
     "vuex": "^3.0.1",
-    "xlsx": "^0.15.1"
+    "xlsx": "^0.15.1",
+    "xss": "^1.0.15"
   },
   "devDependencies": {
     "@babel/core": "^7.4.5",
diff --git a/frontend/desktop/src/components/common/modal/ErrorCodeModal.vue b/frontend/desktop/src/components/common/modal/ErrorCodeModal.vue
index b2d6c4e44e..faaf003f16 100644
--- a/frontend/desktop/src/components/common/modal/ErrorCodeModal.vue
+++ b/frontend/desktop/src/components/common/modal/ErrorCodeModal.vue
@@ -28,7 +28,7 @@
             <ErrorCode406 v-if="code === 406"></ErrorCode406>
             <ErrorCode407 v-if="code === 407"></ErrorCode407>
             <ErrorCode500 v-if="code === 500" :response-text="responseText"></ErrorCode500>
-            <div class="default-modal" v-if="code === 'default'" v-html="responseText"></div>
+            <div class="default-modal" v-if="code === 'default'" v-html="filterXSS(responseText)"></div>
         </div>
     </bk-dialog>
 </template>
diff --git a/frontend/desktop/src/main.js b/frontend/desktop/src/main.js
index 8ef6d2c8d1..c95480ef42 100644
--- a/frontend/desktop/src/main.js
+++ b/frontend/desktop/src/main.js
@@ -12,6 +12,7 @@
 import './public-path.js'
 import Vue from 'vue'
 import VeeValidate, { Validator } from 'vee-validate'
+import filterXSS from 'xss'
 import router from './routers/index.js'
 import store from './store/index.js'
 import './directives/index.js'
@@ -211,6 +212,12 @@ Validator.localize({
     }
 })
 
+Vue.prototype.filterXSS = input => filterXSS(input, {
+    whiteList: {
+        a: ['href']
+    }
+})
+
 new Vue({
     i18n,
     router,
diff --git a/frontend/desktop/src/pages/task/PeriodicList/BootRecordDialog.vue b/frontend/desktop/src/pages/task/PeriodicList/BootRecordDialog.vue
index db422eee21..46195d5d79 100644
--- a/frontend/desktop/src/pages/task/PeriodicList/BootRecordDialog.vue
+++ b/frontend/desktop/src/pages/task/PeriodicList/BootRecordDialog.vue
@@ -150,7 +150,14 @@
                     return ''
                 }
                 if (typeof data === 'string') {
-                    const info = data.replace(/\n/g, '<br>')
+                    // 只渲染a标签，不过滤换行
+                    let info = data.replace(/\n/g, '<br>')
+                    info = this.filterXSS(info, {
+                        whiteList: {
+                            a: ['href'],
+                            br: []
+                        }
+                    })
                     return info
                 } else {
                     return data
diff --git a/frontend/desktop/src/pages/task/TaskExecute/ExecuteInfo.vue b/frontend/desktop/src/pages/task/TaskExecute/ExecuteInfo.vue
index c22f17c8eb..2a2b7f229c 100644
--- a/frontend/desktop/src/pages/task/TaskExecute/ExecuteInfo.vue
+++ b/frontend/desktop/src/pages/task/TaskExecute/ExecuteInfo.vue
@@ -1009,7 +1009,14 @@
                     return ''
                 }
                 if (typeof data === 'string') {
-                    const info = data.replace(/\n/g, '<br>')
+                    // 只渲染a标签，不过滤换行
+                    let info = data.replace(/\n/g, '<br>')
+                    info = this.filterXSS(info, {
+                        whiteList: {
+                            a: ['href'],
+                            br: []
+                        }
+                    })
                     return info
                 } else {
                     return data
diff --git a/frontend/desktop/src/pages/task/TaskExecute/ExecuteInfo/OutputParams.vue b/frontend/desktop/src/pages/task/TaskExecute/ExecuteInfo/OutputParams.vue
index ae00c116af..6f739d6b21 100644
--- a/frontend/desktop/src/pages/task/TaskExecute/ExecuteInfo/OutputParams.vue
+++ b/frontend/desktop/src/pages/task/TaskExecute/ExecuteInfo/OutputParams.vue
@@ -113,11 +113,11 @@
                 if (output.value === 'undefined' || output.value === '') {
                     return '--'
                 } else if (!output.preset && this.nodeDetailConfig.component_code === 'job_execute_task') {
-                    return output.value
+                    return this.filterXSS(JSON.stringify(output.value))
                 } else if (Array.isArray(output.value)) {
                     if (!output.value.length) return '--'
                     return output.value.reduce((acc, cur) => {
-                        let str = cur
+                        let str = this.filterXSS(cur)
                         if (this.isUrl(cur)) {
                             str = `<a style="color: #3a84ff; word-break: break-all;" target="_blank" href="${cur}">${cur}</a>`
                         }
@@ -128,7 +128,7 @@
                     if (this.isUrl(output.value)) {
                         return `<a style="color: #3a84ff; word-break: break-all;" target="_blank" href="${output.value}">${output.value}</a>`
                     }
-                    return output.value
+                    return this.filterXSS(JSON.stringify(output.value))
                 }
             }
         }

From ecbf8a375fd4e7acdf0088923ed224d49b0278ad Mon Sep 17 00:00:00 2001
From: v_xugzhou <941071842@qq.com>
Date: Thu, 10 Oct 2024 14:52:41 +0800
Subject: [PATCH 2/3] Merge branch 'master' into merge_master # Reviewed,
 transaction id: 20124


From 49c5c7336dd698f33f97ff31935d83218feb53af Mon Sep 17 00:00:00 2001
From: v_xugzhou <941071842@qq.com>
Date: Thu, 10 Oct 2024 14:53:21 +0800
Subject: [PATCH 3/3] Merge branch 'master' into merge_master # Reviewed,
 transaction id: 20124 # Reviewed, transaction id: 20125