fix: 部分缺陷不显示内容(扩充xss白名单)

--bug=1008133 --user=陈建星 [github#7877]“同步缺陷”导致bug数据丢失 https://www.tapd.cn/55049933/s/1084518
2021-12-21 20:11:19 +08:00 · 2021-12-21 20:11:19 +08:00 · ca39c24911
parent 21e15276bd
commit ca39c24911
4 changed files with 37 additions and 4 deletions
--- a/backend/src/main/java/io/metersphere/xpack
+++ b/backend/src/main/java/io/metersphere/xpack
@ -1 +1 @@
-Subproject commit 25fa8fc0d7972b56f86fb466417ec55588a4812d
+Subproject commit 8e54dfc4cd510f2d676787dad1599067ac02f2d9
--- a/frontend/src/business/components/track/case/components/MsMarkDownText.vue
+++ b/frontend/src/business/components/track/case/components/MsMarkDownText.vue
@ -8,6 +8,7 @@
 <script>
 import {getCurrentUser, getUUID} from "@/common/js/utils";
 import {deleteMarkDownImg, uploadMarkDownImg} from "@/network/image";
+import {DEFAULT_XSS_ATTR} from "@/common/js/constants";
 export default {
  name: "MsMarkDownText",
  components: {},
@ -68,7 +69,39 @@ export default {
      id: getUUID(),
      xssOptions: {
        whiteList: {
-          img: ["src", "alt", "width", "height"],
+          div: DEFAULT_XSS_ATTR,
+          p: DEFAULT_XSS_ATTR,
+          br: [],
+          h1: DEFAULT_XSS_ATTR,
+          h2: DEFAULT_XSS_ATTR,
+          h3: DEFAULT_XSS_ATTR,
+          h4: DEFAULT_XSS_ATTR,
+          h5: DEFAULT_XSS_ATTR,
+          h6: DEFAULT_XSS_ATTR,
+          hr: DEFAULT_XSS_ATTR,
+          span: DEFAULT_XSS_ATTR,
+          strong: DEFAULT_XSS_ATTR,
+          b: DEFAULT_XSS_ATTR,
+          i: DEFAULT_XSS_ATTR,
+          pre: DEFAULT_XSS_ATTR,
+          code: DEFAULT_XSS_ATTR,
+          tr: DEFAULT_XSS_ATTR,
+          table: [...DEFAULT_XSS_ATTR, 'width', 'border'],
+          td: [...DEFAULT_XSS_ATTR, 'width', 'colspan'],
+          th: [...DEFAULT_XSS_ATTR, 'width', 'colspan'],
+          a: [...DEFAULT_XSS_ATTR, 'target', 'href', 'title', 'rel'],
+          img: [...DEFAULT_XSS_ATTR, "src", "alt", "width", "height"],
+          tbody: DEFAULT_XSS_ATTR,
+          ul: DEFAULT_XSS_ATTR,
+          li: DEFAULT_XSS_ATTR,
+          ol: DEFAULT_XSS_ATTR,
+          dl: DEFAULT_XSS_ATTR,
+          dt: DEFAULT_XSS_ATTR,
+          em: DEFAULT_XSS_ATTR,
+          blockquote: DEFAULT_XSS_ATTR,
+          // 如果支持视频
+    //      audio: ['autoplay', 'controls', 'loop', 'preload', 'src'],
+    //      video: ['autoplay', 'controls', 'loop', 'preload', 'src', 'height', 'width']
        },
        stripIgnoreTagBody: true
      },
--- a/frontend/src/business/components/xpack
+++ b/frontend/src/business/components/xpack
@ -1 +1 @@
-Subproject commit 4ab83e897bdbc55729fd7418b6a77e73e39b1df9
+Subproject commit a598375541a45898616db5085fd38c192bd6df4b
--- a/frontend/src/common/js/constants.js
+++ b/frontend/src/common/js/constants.js
@ -202,4 +202,4 @@ export const ENV_TYPE = {
  GROUP: "GROUP"
 }

-
+export const DEFAULT_XSS_ATTR = ['style', 'class'];