补充前端状态和安全边界注释

2026-04-25 10:10:47 +08:00
parent 283793bc1c
commit c8bc81f961
5 changed files with 7 additions and 0 deletions
@@ -254,6 +254,7 @@ async function friendAction(action, username, button) {
    setNotice("");

    try {
+        // 用户名进入 URL path 前必须编码，避免特殊字符破坏路径或请求目标。
        const response = await fetch(`/friend/${encodeURIComponent(username)}/${action}`, {
            method: action === "remove" ? "DELETE" : "POST",
            headers: {
@@ -311,6 +312,7 @@ export async function friendSearch() {
    setNotice("正在添加…");

    try {
+        // 搜索输入的用户名同样先做 path 编码，再交由后端做存在性与权限校验。
        const response = await fetch(`/friend/${encodeURIComponent(username)}/add`, {
            method: "POST",
            headers: {