收紧输入渲染与后台配置权限
This commit is contained in:
@@ -174,18 +174,29 @@ class ChangelogController extends Controller
|
||||
*/
|
||||
private function saveChangelogNotification(DevChangelog $log): void
|
||||
{
|
||||
$typeLabel = DevChangelog::TYPE_CONFIG[$log->type]['label'] ?? '更新';
|
||||
$url = url('/changelog').'#v'.$log->version;
|
||||
// 广播文案允许保留安全链接,但标题与版本号必须先做 HTML 转义,避免系统消息被拼成恶意标签。
|
||||
$safeTypeLabel = e(DevChangelog::TYPE_CONFIG[$log->type]['label'] ?? '更新');
|
||||
$safeVersion = e((string) $log->version);
|
||||
$safeTitle = e((string) $log->title);
|
||||
$detailUrl = e($this->buildChangelogDetailUrl($log));
|
||||
|
||||
SaveMessageJob::dispatch([
|
||||
'room_id' => 1,
|
||||
'from_user' => '系统公告',
|
||||
'to_user' => '大家',
|
||||
'content' => "📢 【版本更新 {$typeLabel}】v{$log->version}《{$log->title}》— <a href=\"{$url}\" target=\"_blank\" class=\"underline\">点击查看详情</a>",
|
||||
'content' => "📢 【版本更新 {$safeTypeLabel}】v{$safeVersion}《{$safeTitle}》— <a href=\"{$detailUrl}\" target=\"_blank\" rel=\"noopener\" class=\"underline\">点击查看详情</a>",
|
||||
'is_secret' => false,
|
||||
'font_color' => '#7c3aed',
|
||||
'action' => '',
|
||||
'sent_at' => now()->toIso8601String(),
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* 生成开发日志详情链接,并对版本片段做 URL 编码,避免广播 href 被注入额外属性。
|
||||
*/
|
||||
private function buildChangelogDetailUrl(DevChangelog $log): string
|
||||
{
|
||||
return route('changelog.index').'#v'.rawurlencode((string) $log->version);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user