search

lobehub / lobe-ui

🍭 Lobe UI - an open-source UI component library for building AIGC web apps
https://ui.lobehub.com
MIT License
919 stars 142 forks source link

[Bug] Highlighter 组件有 XSS 漏洞 #176

Closed Carrotzpc closed 2 months ago

Carrotzpc commented 2 months ago

💻 系统环境 | Operating System

Windows

🌐 浏览器 | Browser

Chrome

🐛 问题描述 | Bug Description

如果 code 中包含 html 标签,而且解析失败的话,走到 catch 里面 html 标签会直接渲染,别问我怎么知道的。。。

https://github.com/lobehub/lobe-ui/blob/532c5bf34f1563329480e1066b4c9dd0cb0c2fa7/src/hooks/useHighlight.ts#L60-L62

🚦 期望结果 | Expected Behavior

需要在解析失败后对 code 进行转义

📷 复现步骤 | Recurrence Steps

No response

📝 补充信息 | Additional Information

No response

lobehubbot commented 2 months ago

👀 @Carrotzpc Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible. Please make sure you have given us as much context as possible.\ 非常感谢您提交 issue。我们会尽快调查此事,并尽快回复您。 请确保您已经提供了尽可能多的背景信息。

lobehubbot commented 2 months ago

✅ @Carrotzpc
This issue is closed, If you have any questions, you can comment and reply.\ 此问题已经关闭。如果您有任何问题,可以留言并回复。