fix: tooltips组件XSS问题统一处理

# Reviewed, transaction id: 19262
TencentBlueKing · Sep 24, 2024 · e9d789c · e9d789c
1 parent a6dd2b1
commit e9d789c
Show file tree

Hide file tree

Showing 36 changed files with 59 additions and 42 deletions.
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
@@ -7,6 +7,7 @@
 【修复】公共API文件导出实现方式修改  
 【修复】修复单据列表在非首页搜索报错的问题  
 【修复】任务模板编辑点击上一步返回路径优化  
+【修复】tooltips组件XSS问题修复  
 
 ## [Version: 2.6.30] - 2024-08-15
 【修复】项目初始化时登录后重定向url异常修复

diff --git a/docs/RELEASE_EN.md b/docs/RELEASE_EN.md
@@ -6,6 +6,7 @@
 【Fixed】Modified the implementation method for exporting common API files.  
 【Fixed】Fixed the issue where searching on the document list in non-home pages resulted in an error.  
 【Fixed】Optimized the return path when clicking ‘Previous’ during task template editing.  
+【Fixed】Fixed XSS vulnerability in tooltips component.  
 
 ## [Version: 2.6.30] - 2024-08-15
 【Fixed】Fixed the URL Redirection Issue after Login during Project Initialization

diff --git a/frontend/pc/src/components/renderview/tags/TagText.vue b/frontend/pc/src/components/renderview/tags/TagText.vue
@@ -27,15 +27,15 @@
       <p class="text-block" v-for="(item, index) in value" :key="index">
         <label v-if="item.label" class="label">
           {{ item.label }}
-          <i v-if="item.desc || desc" v-bk-tooltips="item.desc || desc" class="bk-itsm-icon icon-itsm-icon-help"></i>
+          <i v-if="item.desc || desc" v-bk-tooltips="{ content: item.desc || desc, allowHtml: false }" class="bk-itsm-icon icon-itsm-icon-help"></i>
         </label>
         <span class="value">{{ item.value }}</span>
       </p>
     </div>
     <p v-else>
       <label v-if="label" class="label">
         {{ label }}
-        <i v-if="desc" v-bk-tooltips="desc" class="bk-itsm-icon icon-itsm-icon-help"></i>
+        <i v-if="desc" v-bk-tooltips="{ content: desc, allowHtml: false }" class="bk-itsm-icon icon-itsm-icon-help"></i>
       </label>
       <span class="value">{{ value }}</span>
     </p>

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/cascade.vue b/frontend/pc/src/views/commonComponent/fieldComponent/cascade.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-select searchable
         v-model="firstInfo"
         :font-size="'medium'"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/checkbox.vue b/frontend/pc/src/views/commonComponent/fieldComponent/checkbox.vue
@@ -24,7 +24,7 @@
   <div v-if="item.showFeild && !loading">
     <bk-form-item :label="item.name"
       :required="item.validate_type === 'REQUIRE'"
-      :desc="item.tips"
+      :desc="{ content: item.tips, allowHTML: false }"
       :ext-cls="'bk-line-height'"
       desc-type="icon">
       <bk-checkbox-group :ref="item.key" :value="selects" @change="selected">

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/complexMembers.vue b/frontend/pc/src/views/commonComponent/fieldComponent/complexMembers.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <!-- 一级处理人 -->
       <div class="bk-form-width">
         <bk-select v-model="formData.levelOne"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/customForm.vue b/frontend/pc/src/views/commonComponent/fieldComponent/customForm.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <p style="color: #c4c6cc;" class="mt5 mb0 f12" slot="tip" v-if="item.type === 'CUSTOM-FORM'">{{$t('m["当前字段为自定义表单"]')}}</p>
       <render-view
         :form-data="formData"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/customtable.vue b/frontend/pc/src/views/commonComponent/fieldComponent/customtable.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-table
         :data="item.val"
         :size="'small'">

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/date.vue b/frontend/pc/src/views/commonComponent/fieldComponent/date.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-date-picker :class="{ 'bk-border-error': item.checkValue }"
         v-model="item.val"
         :placeholder="$t(`m.newCommon['选择日期']`)"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/datetime.vue b/frontend/pc/src/views/commonComponent/fieldComponent/datetime.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-date-picker :class="{ 'bk-border-error': item.checkValue }"
         v-model="item.val"
         :type="'datetime'"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/editor.vue b/frontend/pc/src/views/commonComponent/fieldComponent/editor.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" style="font-size: 0" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" style="font-size: 0" desc-type="icon">
       <rich-text-editor
         v-model="item.val"
         :full-title="item.name"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/file.vue b/frontend/pc/src/views/commonComponent/fieldComponent/file.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <div style="position: relative;">
         <div class="bk-form-content" style="position: relative;">
           <custom-upload

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/inputSelect.vue b/frontend/pc/src/views/commonComponent/fieldComponent/inputSelect.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-select :class="{ 'bk-border-error': item.checkValue }"
         searchable
         v-model="item.val"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/int.vue b/frontend/pc/src/views/commonComponent/fieldComponent/int.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" class="bk-form-int" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" class="bk-form-int" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-input :class="{ 'bk-border-error': item.checkValue }"
         :clearable="true"
         type="number"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/link.vue b/frontend/pc/src/views/commonComponent/fieldComponent/link.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-input :class="{ 'bk-border-error': item.checkValue }"
         v-model="item.val"
         :maxlength="120"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/member.vue b/frontend/pc/src/views/commonComponent/fieldComponent/member.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild" class="member-field">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :ext-cls="'bk-ext-item'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :ext-cls="'bk-ext-item'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <div @click="item.checkValue = false" class="member-form-item">
         <member-select :class="{ 'bk-border-error': item.checkValue }"
           v-model="selectedItems"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/members.vue b/frontend/pc/src/views/commonComponent/fieldComponent/members.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :ext-cls="'bk-ext-item'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :ext-cls="'bk-ext-item'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <div @click="item.checkValue = false" class="member-form-item">
         <member-select :class="{ 'bk-border-error': item.checkValue }"
           v-model="selectedItems"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/multiselect.vue b/frontend/pc/src/views/commonComponent/fieldComponent/multiselect.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-select :class="{ 'bk-border-error': item.checkValue }"
         :disabled="(item.is_readonly && !isCurrent) || disabled"
         searchable

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/radio.vue b/frontend/pc/src/views/commonComponent/fieldComponent/radio.vue
@@ -24,7 +24,7 @@
   <div v-if="item.showFeild">
     <bk-form-item :label="item.name"
       :required="item.validate_type === 'REQUIRE'"
-      :desc="item.tips"
+      :desc="{ content: item.tips, allowHTML: false }"
       :ext-cls="'bk-line-height'"
       desc-type="icon">
       <bk-radio-group v-model="item.val" @change="item.checkValue = false">

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/select.vue b/frontend/pc/src/views/commonComponent/fieldComponent/select.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-select :class="{ 'bk-border-error': item.checkValue }"
         searchable
         v-model="item.val"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/sopsTemplate.vue b/frontend/pc/src/views/commonComponent/fieldComponent/sopsTemplate.vue
@@ -38,7 +38,7 @@
         </bk-form-item>
         <bk-form-item :label="item.name" v-if="item.sopsContent.createWay === 'template'"
           :required="item.validate_type === 'REQUIRE'"
-          :desc="item.tips"
+          :desc="{ content: item.tips, allowHTML: false }"
           :ext-cls="'bk-line-height'"
           :property="'id'"
           :error-display-type="'normal'">

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/string.vue b/frontend/pc/src/views/commonComponent/fieldComponent/string.vue
@@ -24,7 +24,7 @@
   <div v-if="item.showFeild">
     <bk-form-item :label="item.name"
       :required="item.validate_type === 'REQUIRE'"
-      :desc="item.tips"
+      :desc="{ content: item.tips, allowHTML: false }"
       desc-type="icon">
       <bk-input :class="{ 'bk-border-error': item.checkValue }"
         v-model="item.val"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/table.vue b/frontend/pc/src/views/commonComponent/fieldComponent/table.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-table :data="item.val"
         :size="'small'">
         <template v-for="title in item.choice">

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/text.vue b/frontend/pc/src/views/commonComponent/fieldComponent/text.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <bk-input :class="{ 'bk-border-error': item.checkValue }"
         :placeholder="item.desc"
         :type="'textarea'"

diff --git a/frontend/pc/src/views/commonComponent/fieldComponent/tree.vue b/frontend/pc/src/views/commonComponent/fieldComponent/tree.vue
@@ -22,7 +22,7 @@
 
 <template>
   <div v-if="item.showFeild">
-    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="item.tips" desc-type="icon">
+    <bk-form-item :label="item.name" :required="item.validate_type === 'REQUIRE'" :desc="{ content: item.tips, allowHTML: false }" desc-type="icon">
       <div class="bk-search-tree bk-form-width"
         :class="{ 'bk-border-error': item.checkValue }"
         v-bk-clickoutside="closeTree">

diff --git a/frontend/pc/src/views/operation/components/tableChart.vue b/frontend/pc/src/views/operation/components/tableChart.vue
@@ -52,7 +52,8 @@
               v-bk-tooltips="{
                 content: props.row.organization_full,
                 position: 'top',
-                theme: 'light'
+                theme: 'light',
+                allowHTML: false
               }">
               {{ props.row.organization }}
             </span>

diff --git a/frontend/pc/src/views/processManagement/processDesign/nodeConfigue/ApprovalNode.vue b/frontend/pc/src/views/processManagement/processDesign/nodeConfigue/ApprovalNode.vue
@@ -385,6 +385,7 @@
             disabled: true,
             content: '',
             placements: ['top'],
+            allowHTML: false,
           },
         },
         emptyExpression: {
@@ -401,6 +402,7 @@
             disabled: false,
             content: this.$t('m.treeinfo[\'请先选择条件\']'),
             placements: ['top'],
+            allowHTML: false,
           },
         },
         isShowSignSwitch: false,

diff --git a/frontend/pc/src/views/processManagement/processDesign/nodeConfigue/addField/index.vue b/frontend/pc/src/views/processManagement/processDesign/nodeConfigue/addField/index.vue
@@ -339,7 +339,7 @@
             @change="$emit('change')">
           </textarea>
           <p class="bk-label-tips">
-            <span v-bk-tooltips.top="(formInfo.tips || $t(`m.treeinfo['字段释疑填填看哦']`))">
+            <span v-bk-tooltips.top="{ content: (formInfo.tips || $t(`m.treeinfo['字段释疑填填看哦']`)), allowHTML: false }">
               {{ $t('m.treeinfo["效果预览"]') }}
             </span>
           </p>

diff --git a/frontend/pc/src/views/processManagement/processDesign/nodeConfigue/signNode.vue b/frontend/pc/src/views/processManagement/processDesign/nodeConfigue/signNode.vue
@@ -58,15 +58,15 @@
         </bk-form-item>
       </bk-form>
     </basic-card>
-    
+
     <basic-card class="mt20" :card-label="$t(`m.treeinfo['字段配置']`)">
       <field-config
         ref="field"
         :flow-info="flowInfo"
         :configur="configur">
       </field-config>
     </basic-card>
-        
+
     <basic-card
       class="mt20"
       v-bkloading="{ isLoading: getConditionFlag }"
@@ -263,6 +263,7 @@
             disabled: true,
             content: '',
             placements: ['top'],
+            allowHTML: false,
           },
         },
         emptyExpression: {
@@ -279,6 +280,7 @@
             disabled: false,
             content: this.$t('m.treeinfo[\'请先选择条件\']'),
             placements: ['top'],
+            allowHTML: false,
           },
         },
         nodeInfoRule: {
@@ -347,6 +349,7 @@
                 disabled: true,
                 content: '',
                 placements: ['top'],
+                allowHTML: false,
               };
               return { ...expression, tooltipInfo };
             });

diff --git a/frontend/pc/src/views/service/editService/flowCanvas/NodeTemplate.vue b/frontend/pc/src/views/service/editService/flowCanvas/NodeTemplate.vue
@@ -33,6 +33,7 @@
     v-bk-tooltips="{
       placement: 'auto',
       content: node.name,
+      allowHTML: false,
       theme: 'light'
     }">
     <div v-if="node.type === 'START'" class="startpoint" data-test-id="startNode">

diff --git a/frontend/pc/src/views/ticket/details/comment/commentItem.vue b/frontend/pc/src/views/ticket/details/comment/commentItem.vue
@@ -11,7 +11,8 @@
         v-if="curComment.update_log.length"
         v-bk-tooltips="{
           placement: 'top-start',
-          content: curComment.update_log
+          content: curComment.update_log,
+          allowHTML: false
         }"
         class="edited">
         <span>{{ $t('m["已被编辑"]') }}</span>

diff --git a/frontend/pc/src/views/ticket/details/currentSteps/nodetask/NodeTaskList.vue b/frontend/pc/src/views/ticket/details/currentSteps/nodetask/NodeTaskList.vue
@@ -114,7 +114,7 @@
         <bk-table-column :label="$t(`m.task['任务名称']`)">
           <template slot-scope="props">
             <span
-              v-bk-tooltips.top="props.row.name"
+              v-bk-tooltips.top="{ content: props.row.name, allowHTML: false }"
               class="task-name"
             >
               {{ props.row.name || "--" }}
@@ -123,14 +123,14 @@
         </bk-table-column>
         <bk-table-column :label="$t(`m.task['处理人']`)">
           <template slot-scope="props">
-            <span v-bk-tooltips.top="props.row.processor_users">
+            <span v-bk-tooltips.top="{ content: props.row.processor_users, allowHTML: false }">
               {{ props.row.processor_users || "--" }}
             </span>
           </template>
         </bk-table-column>
         <bk-table-column :label="$t(`m.task['任务类型']`)">
           <template slot-scope="props">
-            <span v-bk-tooltips.top="props.row.processor_users">
+            <span v-bk-tooltips.top="{ content: props.row.processor_users, allowHTML: false }">
               {{
                 getTaskTypeName(props.row.component_type) ||
                   "--"

diff --git a/frontend/pc/src/views/ticket/details/nodeInfo/signNodeInfo.vue b/frontend/pc/src/views/ticket/details/nodeInfo/signNodeInfo.vue
@@ -28,7 +28,7 @@
           <template v-slot:header="{ item }">
             <div class="bk-timeline-user-header">
               <span class="bk-inline-block bk-default-width"
-                v-bk-tooltips.top="item.message">{{ item.message}}</span>
+                v-bk-tooltips.top="{ content: item.message, allowHTML: false }">{{ item.message}}</span>
               <span class="bk-inline-block button" v-if="item.tag !== 'processors'">
                 <span class="bk-inline-block isOn auto" @click="item.showMore = !item.showMore"
                   v-if="!item.showMore">{{ $t('m.newCommon["展开"]') }}

diff --git a/frontend/pc/src/views/ticket/details/rightTicketTabs/AllTaskTab.vue b/frontend/pc/src/views/ticket/details/rightTicketTabs/AllTaskTab.vue
@@ -34,21 +34,21 @@
       </bk-table-column>
       <bk-table-column :label="$t(`m.task['任务名称']`)" :render-header="$renderHeader" :show-overflow-tooltip="true">
         <template slot-scope="props">
-          <span v-bk-tooltips.top="props.row.name" class="task-name">
+          <span v-bk-tooltips.top="{ content: props.row.name, allowHTML: false }" class="task-name">
             {{ props.row.name || "--" }}
           </span>
         </template>
       </bk-table-column>
       <bk-table-column :label="$t(`m.task['处理人']`)" :render-header="$renderHeader" :show-overflow-tooltip="true">
         <template slot-scope="props">
-          <span v-bk-tooltips.top="props.row.processor_users">{{
+          <span v-bk-tooltips.top="{ content: props.row.processor_users, allowHTML: false }">{{
             props.row.processor_users || "--"
           }}</span>
         </template>
       </bk-table-column>
       <bk-table-column :label="$t(`m.task['任务类型']`)" :render-header="$renderHeader" :show-overflow-tooltip="true">
         <template slot-scope="props">
-          <span v-bk-tooltips.top="props.row.processor_users">{{
+          <span v-bk-tooltips.top="{ content: props.row.processor_users, allowHTML: false }">{{
             getTaskTypeName(props.row.component_type) || "--"
           }}</span>
         </template>