Open Yangholmes opened 3 months ago
5.34.0
Others
Chromium 122.0.6261.94
https://codesandbox.io/p/sandbox/trusting-bose-xz3y3k
如果给 Ellipsis content prop 提供一个带有 html 标签的超长字符串,那么将会发生 xss 注入,而且会导致字符串长度计算错误。
发生注入的位置应该是
https://github.com/ant-design/ant-design-mobile/blob/1d0fc6f65a2417c18c4701effca30d3e57e0783b/src/components/ellipsis/ellipsis.tsx#L119-L124
和
https://github.com/ant-design/ant-design-mobile/blob/1d0fc6f65a2417c18c4701effca30d3e57e0783b/src/components/ellipsis/ellipsis.tsx#L156-L161
如果确认是这里发生注入,我可以尝试将我的补丁提一个 PR 修复。
No response
欢迎 PR
Version of antd-mobile
5.34.0
Operating system and its version
Others
Browser and its version
Chromium 122.0.6261.94
Sandbox to reproduce
https://codesandbox.io/p/sandbox/trusting-bose-xz3y3k
What happened?
如果给 Ellipsis content prop 提供一个带有 html 标签的超长字符串,那么将会发生 xss 注入,而且会导致字符串长度计算错误。
发生注入的位置应该是
https://github.com/ant-design/ant-design-mobile/blob/1d0fc6f65a2417c18c4701effca30d3e57e0783b/src/components/ellipsis/ellipsis.tsx#L119-L124
和
https://github.com/ant-design/ant-design-mobile/blob/1d0fc6f65a2417c18c4701effca30d3e57e0783b/src/components/ellipsis/ellipsis.tsx#L156-L161
如果确认是这里发生注入,我可以尝试将我的补丁提一个 PR 修复。
Relevant log output
No response