fix: 使用v-html模板语法时添加安全预防 --bug=119961524

# Reviewed, transaction id: 20003

Author: ywywZhou

frontend/desktop/package.json

@@ -43,7 +43,8 @@
     "vue-router": "^3.0.1",
     "vuedraggable": "^2.16.0",
     "vuex": "^3.0.1",
-    "xlsx": "^0.15.1"
+    "xlsx": "^0.15.1",
+    "xss": "^1.0.15"
   },
   "devDependencies": {
     "@babel/core": "^7.4.5",

frontend/desktop/src/components/common/modal/ErrorCodeModal.vue

@@ -28,7 +28,7 @@
             <ErrorCode406 v-if="code === 406"></ErrorCode406>
             <ErrorCode407 v-if="code === 407"></ErrorCode407>
             <ErrorCode500 v-if="code === 500" :response-text="responseText"></ErrorCode500>
-            <div class="default-modal" v-if="code === 'default'" v-html="responseText"></div>
+            <div class="default-modal" v-if="code === 'default'" v-html="filterXSS(responseText)"></div>
         </div>
     </bk-dialog>
 </template>

frontend/desktop/src/main.js

@@ -12,6 +12,7 @@
 import './public-path.js'
 import Vue from 'vue'
 import VeeValidate, { Validator } from 'vee-validate'
+import filterXSS from 'xss'
 import router from './routers/index.js'
 import store from './store/index.js'
 import './directives/index.js'
@@ -211,6 +212,12 @@ Validator.localize({
     }
 })
 
+Vue.prototype.filterXSS = input => filterXSS(input, {
+    whiteList: {
+        a: ['href']
+    }
+})
+
 new Vue({
     i18n,
     router,

frontend/desktop/src/pages/task/PeriodicList/BootRecordDialog.vue

@@ -150,7 +150,14 @@
                     return ''
                 }
                 if (typeof data === 'string') {
-                    const info = data.replace(/\n/g, '<br>')
+                    // 只渲染a标签，不过滤换行
+                    let info = data.replace(/\n/g, '<br>')
+                    info = this.filterXSS(info, {
+                        whiteList: {
+                            a: ['href'],
+                            br: []
+                        }
+                    })
                     return info
                 } else {
                     return data

frontend/desktop/src/pages/task/TaskExecute/ExecuteInfo.vue

@@ -1009,7 +1009,14 @@
                     return ''
                 }
                 if (typeof data === 'string') {
-                    const info = data.replace(/\n/g, '<br>')
+                    // 只渲染a标签，不过滤换行
+                    let info = data.replace(/\n/g, '<br>')
+                    info = this.filterXSS(info, {
+                        whiteList: {
+                            a: ['href'],
+                            br: []
+                        }
+                    })
                     return info
                 } else {
                     return data

frontend/desktop/src/pages/task/TaskExecute/ExecuteInfo/OutputParams.vue

@@ -113,11 +113,11 @@
                 if (output.value === 'undefined' || output.value === '') {
                     return '--'
                 } else if (!output.preset && this.nodeDetailConfig.component_code === 'job_execute_task') {
-                    return output.value
+                    return this.filterXSS(JSON.stringify(output.value))
                 } else if (Array.isArray(output.value)) {
                     if (!output.value.length) return '--'
                     return output.value.reduce((acc, cur) => {
-                        let str = cur
+                        let str = this.filterXSS(cur)
                         if (this.isUrl(cur)) {
                             str = `<a style="color: #3a84ff; word-break: break-all;" target="_blank" href="${cur}">${cur}</a>`
                         }
@@ -128,7 +128,7 @@
                     if (this.isUrl(output.value)) {
                         return `<a style="color: #3a84ff; word-break: break-all;" target="_blank" href="${output.value}">${output.value}</a>`
                     }
-                    return output.value
+                    return this.filterXSS(JSON.stringify(output.value))
                 }
             }
         }