2.6.28: 修复表单提交XSS漏洞 (#1375)

修复表单提交XSS漏洞
TencentBlueKing · Aug 8, 2024 · 5e6b9d6 · 5e6b9d6
1 parent 22c5294
commit 5e6b9d6
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 10 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.6.27
+2.6.28
diff --git a/app.yml b/app.yml
@@ -5,7 +5,7 @@ author: 蓝鲸智云
 category: 办公应用
 introduction: 流程服务是蓝鲸推出的轻量级ITSM，通过可自定义设计的流程模块，覆盖IT服务中的不同管理活动或应用场景。帮助企业用户规范内部管理流程，提升沟通及管理效率。
 introduction_en: bk_itsm is a lightweight ITSM created by Blueking. It covers different application scenarios in IT services through customizable workflows and help enterprise users to implement standardize IT workflow, improve communication and management efficiency.
-version: 2.6.27
+version: 2.6.28
 language: python
 is_use_celery: True
 is_use_celery_with_gevent: False

diff --git a/app_desc.yaml b/app_desc.yaml
@@ -1,5 +1,5 @@
 spec_version: 2
-app_version: "2.6.27"
+app_version: "2.6.28"
 app:
     region: default
     bk_app_code: bk_itsm

diff --git a/docs/RELEASE.md b/docs/RELEASE.md
@@ -1,8 +1,10 @@
 # Changelog
+## [Version: 2.6.28] - 2024-08-08
+【修复】修复表单提交XSS漏洞
+
 ## [Version: 2.6.27] - 2024-08-07
 【优化】项目初始化时登录为全屏模式  
 【优化】项目标题title规范调整  
-【修复】修复表单提交XSS漏洞
 
 ## [Version: 2.6.26] - 2024-07-22
 【修复】修复接口数值为 0 导致流程异常的问题  

diff --git a/docs/RELEASE_EN.md b/docs/RELEASE_EN.md
@@ -1,8 +1,10 @@
 # Changelog
+## [Version: 2.6.28] - 2024-08-08
+【Fixed】Fix the XSS vulnerability in form submission.
+
 ## [Version: 2.6.27] - 2024-08-07
 【Improved】Login in Full-Screen Mode during Project Initialization  
 【Improved】Project Title Specification Adjustment  
-【Fixed】Fix the XSS vulnerability in form submission.
 
 
 ## [Version: 2.6.26] - 2024-07-22

diff --git a/itsm/ticket/models/ticket.py b/itsm/ticket/models/ticket.py
@@ -45,7 +45,7 @@
 from common.redis import Cache
 from dateutil.relativedelta import relativedelta
 
-from common.utils import texteditor_escape, strip_tags
+from common.utils import texteditor_escape
 from itsm.component.constants import (
     ACTION_CHOICES,
     ACTION_DICT,
@@ -3084,10 +3084,7 @@ def fill_state_fields(self, fields):
             ticket_field.value = fields_map[ticket_field.key]["value"]
             # 针对字符串类型进行 xss 过滤 
             if isinstance(ticket_field.value, str):
-                if ticket_field.type in XSS_FIELD_TYPE:
-                    ticket_field.value = texteditor_escape(ticket_field.value)
-                else:
-                    ticket_field.value = strip_tags(ticket_field.value)
+                ticket_field.value = texteditor_escape(ticket_field.value)
 
             ticket_field.choice = fields_map[ticket_field.key].get("choice", [])
             language_config = (