From 35d5c780b48a8732c1be743b790ad33fe7793226 Mon Sep 17 00:00:00 2001 From: duanlinzhen Date: Mon, 26 Jan 2026 15:51:53 +0800 Subject: [PATCH 1/2] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20XSS=20=E6=B3=A8?= =?UTF-8?q?=E5=85=A5=E6=BC=8F=E6=B4=9E=EF=BC=8C=E9=BB=98=E8=AE=A4=20filter?= =?UTF-8?q?Html=20=E4=BD=BF=E7=94=A8=20escapeHtml=20=E8=BD=AC=E4=B9=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/amis-core/src/factory.tsx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/amis-core/src/factory.tsx b/packages/amis-core/src/factory.tsx index 85435996d74..af24ffdd8d3 100644 --- a/packages/amis-core/src/factory.tsx +++ b/packages/amis-core/src/factory.tsx @@ -12,6 +12,7 @@ import { isMobile, TestIdBuilder } from './utils/helper'; +import {escapeHtml} from './utils/escapeHtml'; import { fetcherResult, SchemaNode, @@ -556,7 +557,7 @@ export const defaultOptions: RenderOptions = { /** * 过滤 html 标签,可用来添加 xss 保护逻辑 */ - filterHtml: (input: string) => input, + filterHtml: (input: string) => escapeHtml(input), isMobile: isMobile, getPageId: getPageId, pageMetaEffect: (meta: AMISPageMeta) => { From af35731d2d1be4d11e468dd8d30f3daceb7fc576 Mon Sep 17 00:00:00 2001 From: duanlinzhen Date: Mon, 26 Jan 2026 17:15:27 +0800 Subject: [PATCH 2/2] =?UTF-8?q?feat:=20=E9=99=90=E5=88=B6=E8=A1=A8?= =?UTF-8?q?=E8=BE=BE=E5=BC=8F=E5=BC=B9=E7=AA=97xss=E6=B3=A8=E5=85=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/amis-core/src/factory.tsx | 3 +-- packages/amis-ui/src/components/formula/Editor.tsx | 6 ++++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/packages/amis-core/src/factory.tsx b/packages/amis-core/src/factory.tsx index af24ffdd8d3..85435996d74 100644 --- a/packages/amis-core/src/factory.tsx +++ b/packages/amis-core/src/factory.tsx @@ -12,7 +12,6 @@ import { isMobile, TestIdBuilder } from './utils/helper'; -import {escapeHtml} from './utils/escapeHtml'; import { fetcherResult, SchemaNode, @@ -557,7 +556,7 @@ export const defaultOptions: RenderOptions = { /** * 过滤 html 标签,可用来添加 xss 保护逻辑 */ - filterHtml: (input: string) => escapeHtml(input), + filterHtml: (input: string) => input, isMobile: isMobile, getPageId: getPageId, pageMetaEffect: (meta: AMISPageMeta) => { diff --git a/packages/amis-ui/src/components/formula/Editor.tsx b/packages/amis-ui/src/components/formula/Editor.tsx index c1eb363a57d..0292686e87a 100644 --- a/packages/amis-ui/src/components/formula/Editor.tsx +++ b/packages/amis-ui/src/components/formula/Editor.tsx @@ -5,7 +5,8 @@ import React from 'react'; import { eachTree, resolveVariableAndFilterForAsync, - uncontrollable + uncontrollable, + escapeHtml } from 'amis-core'; import { parse, @@ -208,7 +209,8 @@ export class FormulaEditor extends React.Component< .filter(item => item) .sort((a, b) => b.length - a.length); - const content = value || ''; + // XSS 防护:对用户输入进行转义 + const content = escapeHtml(value || ''); let html = ''; // 标记方法调用