收紧输入渲染与后台配置权限

app/Http/Controllers/Admin/ChangelogController.php

@@ -174,18 +174,29 @@ class ChangelogController extends Controller
      */
     private function saveChangelogNotification(DevChangelog $log): void
     {
-        $typeLabel = DevChangelog::TYPE_CONFIG[$log->type]['label'] ?? '更新';
-        $url = url('/changelog').'#v'.$log->version;
+        // 广播文案允许保留安全链接，但标题与版本号必须先做 HTML 转义，避免系统消息被拼成恶意标签。
+        $safeTypeLabel = e(DevChangelog::TYPE_CONFIG[$log->type]['label'] ?? '更新');
+        $safeVersion = e((string) $log->version);
+        $safeTitle = e((string) $log->title);
+        $detailUrl = e($this->buildChangelogDetailUrl($log));
 
         SaveMessageJob::dispatch([
             'room_id' => 1,
             'from_user' => '系统公告',
             'to_user' => '大家',
-            'content' => "📢 【版本更新 {$typeLabel}】v{$log->version}《{$log->title}》— <a href=\"{$url}\" target=\"_blank\" class=\"underline\">点击查看详情</a>",
+            'content' => "📢 【版本更新 {$safeTypeLabel}】v{$safeVersion}《{$safeTitle}》— <a href=\"{$detailUrl}\" target=\"_blank\" rel=\"noopener\" class=\"underline\">点击查看详情</a>",
             'is_secret' => false,
             'font_color' => '#7c3aed',
             'action' => '',
             'sent_at' => now()->toIso8601String(),
         ]);
     }
+
+    /**
+     * 生成开发日志详情链接，并对版本片段做 URL 编码，避免广播 href 被注入额外属性。
+     */
+    private function buildChangelogDetailUrl(DevChangelog $log): string
+    {
+        return route('changelog.index').'#v'.rawurlencode((string) $log->version);
+    }
 }