fix: xss漏洞修复 fix #6349

frontend/src/business/components/track/case/components/FormRichTextItem.vue

@@ -1,6 +1,7 @@
 <template>
   <el-form-item v-loading="result.loading" :disable="true" :label="title" :prop="prop" :label-width="labelWidth">
     <mavon-editor :id="id" v-if="active" :editable="!disabled" @imgAdd="imgAdd" :default-open="defaultOpen" class="mavon-editor"
+                  :xss-options="xssOptions"
                   :subfield="false" :toolbars="toolbars" :language="language" :toolbarsFlag="disabled ? false : true" @imgDel="imgDel" v-model="data[prop]"  ref="md"/>
   </el-form-item>
 </template>
@@ -15,6 +16,12 @@ export default {
     return {
       result: {loading: false},
       id: getUUID(),
+      xssOptions: {
+        whiteList: {
+          img: ["src", "alt", "width", "height"],
+        },
+        stripIgnoreTagBody: true
+      },
       defaultOpen: 'preview',
       toolbars: {
         bold: true, // 粗体
@@ -76,6 +83,9 @@ export default {
     }
   },
   mounted() {
+    if (this.$refs.md) {
+      this.$refs.md.markdownIt.set({html: false});
+    }
     // 点击编辑，失去焦点展示
     let el = document.getElementById(this.id);
     if (el) {

frontend/src/business/components/track/case/components/TestCaseComment.vue

@@ -5,6 +5,7 @@
       <div class="editors_div_style">
         <div id="editorsDiv">
           <mavon-editor :disabled="isReadOnly"
+                        :xss-options="xssOptions"
                         @imgAdd="imgAdd" :default-open="'edit'" class="review-mavon-editor" :imageFilter="imageFilter"
                         :toolbars="richDataToolbars" @imgDel="imgDel" v-model="textarea" ref="md"/>
         </div>
@@ -36,6 +37,12 @@ export default {
       textarea: '',
       isReadOnly: false,
       dialogTableVisible: false,
+      xssOptions: {
+        whiteList: {
+          img: ["src", "alt", "width", "height"],
+        },
+        stripIgnoreTagBody: true
+      },
       richDataToolbars: {
         bold: false, // 粗体
         italic: false, // 斜体
@@ -73,8 +80,10 @@ export default {
       }
     };
   },
-  created() {
-
+  mounted() {
+    if (this.$refs.md) {
+      this.$refs.md.markdownIt.set({html: false});
+    }
   },
   methods: {
     open() {

frontend/src/business/components/track/issue/IssueDescriptionTableItem.vue

@@ -12,6 +12,7 @@
         popper-class="issues-popover"
       >
         <mavon-editor :editable="false" default-open="preview" class="mavon-editor"
+                      :xss-options="xssOptions"
                       :subfield="false" :toolbarsFlag="false" v-model="scope.row.description" ref="md"/>
         <el-button slot="reference" type="text">{{ $t('test_track.issue.preview') }}</el-button>
       </el-popover>
@@ -27,6 +28,12 @@ export default {
   data() {
     return {
       readConfig: {toolbar: []},
+      xssOptions: {
+        whiteList: {
+          img: ["src", "alt", "width", "height"],
+        },
+        stripIgnoreTagBody: true
+      },
     };
   },
   props: {

frontend/src/business/components/track/review/commom/ReviewComment.vue

@@ -18,6 +18,7 @@
       <div class="editors_div_style">
         <div id="editorsDiv" >
           <mavon-editor v-if="showEditor" @imgAdd="imgAdd" :default-open="'edit'" class="review-mavon-editor" :imageFilter="imageFilter"
+                        :xss-options="xssOptions"
                         :toolbars="richDataToolbars"  @imgDel="imgDel" v-model="textarea"  ref="md"/>
         </div>
       </div>
@@ -53,6 +54,12 @@ export default {
       labelWidth: '120px',
       showEditor:true,
       isReadOnly: false,
+      xssOptions: {
+        whiteList: {
+          img: ["src", "alt", "width", "height"],
+        },
+        stripIgnoreTagBody: true
+      },
       richDataToolbars: {
         bold: false, // 粗体
         italic: false, // 斜体