diff --git a/packages/fes-plugin-layout/package.json b/packages/fes-plugin-layout/package.json
index 4b312200..fd9e83dc 100644
--- a/packages/fes-plugin-layout/package.json
+++ b/packages/fes-plugin-layout/package.json
@@ -30,6 +30,7 @@
     "peerDependencies": {
         "@fesjs/fes": "^3.1.13",
         "@fesjs/fes-design": ">=0.7.0",
+        "dompurify": "^3.1.7",
         "vue": "^3.2.47",
         "vue-router": "^4.0.1"
     },
diff --git a/packages/fes-plugin-layout/src/runtime/helpers/svg.js b/packages/fes-plugin-layout/src/runtime/helpers/svg.js
index 54ea0491..e2109569 100644
--- a/packages/fes-plugin-layout/src/runtime/helpers/svg.js
+++ b/packages/fes-plugin-layout/src/runtime/helpers/svg.js
@@ -1,3 +1,5 @@
+import DOMPurify from 'dompurify';
+
 const isStr = function (str) {
     return typeof str === 'string';
 };
@@ -26,7 +28,7 @@ export function isValid(elm) {
 
 export function validateContent(svgContent) {
     const div = document.createElement('div');
-    div.innerHTML = svgContent;
+    div.innerHTML = DOMPurify.sanitize(svgContent);
 
     // setup this way to ensure it works on our buddy IE
     for (let i = div.childNodes.length - 1; i >= 0; i--) {
diff --git a/packages/fes-plugin-layout/src/runtime/views/MenuIcon.vue b/packages/fes-plugin-layout/src/runtime/views/MenuIcon.vue
index eef3800c..a6320418 100644
--- a/packages/fes-plugin-layout/src/runtime/views/MenuIcon.vue
+++ b/packages/fes-plugin-layout/src/runtime/views/MenuIcon.vue
@@ -1,11 +1,11 @@
 <script lang="jsx">
-import { ref, onBeforeMount, isVNode } from 'vue';
-// eslint-disable-next-line import/extensions
+import { isVNode, onBeforeMount, ref } from 'vue';
+
 import Icons from '../icons';
 import { validateContent } from '../helpers/svg';
 
 const urlReg = /^((https?|ftp|file):\/\/)?([\da-z.-]+)\.([a-z.]{2,6})([/\w .-]*)*\/?$/;
-const isUrlResource = (name) => urlReg.test(name) || name.includes('.svg');
+const isUrlResource = name => urlReg.test(name) || name.includes('.svg');
 
 export default {
     props: {
@@ -25,7 +25,8 @@ export default {
                             });
                         }
                     });
-                } else {
+                }
+                else {
                     AIconComponent.value = Icons[props.icon];
                 }
             }
@@ -39,13 +40,14 @@ export default {
                 return <AIconComponent.value />;
             }
             if (AText.value) {
-                return <span class={'fes-layout-icon'} innerHTML={AText.value}></span>;
+                return <span class="fes-layout-icon" innerHTML={AText.value}></span>;
             }
             return null;
         };
     },
 };
 </script>
+
 <style>
 .fes-layout-icon {
     display: inline-block;
diff --git a/packages/fes-template/src/app.jsx b/packages/fes-template/src/app.jsx
index e298ca39..9e7ee8b2 100644
--- a/packages/fes-template/src/app.jsx
+++ b/packages/fes-template/src/app.jsx
@@ -9,7 +9,7 @@ export const beforeRender = {
         const { setRole, getRole } = accessApi;
         return new Promise((resolve) => {
             setTimeout(() => {
-                setRole('menuTest');
+                setRole('admin');
                 resolve({
                     userName: '李雷',
                 });
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index dc0afd76..30c6ce01 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -441,6 +441,9 @@ importers:
       '@vueuse/core':
         specifier: ^10.7.0
         version: 10.7.0(vue@3.3.4)
+      dompurify:
+        specifier: ^3.1.7
+        version: 3.1.7
       vue:
         specifier: ^3.2.47
         version: 3.3.4
@@ -6980,6 +6983,10 @@ packages:
       domelementtype: 2.3.0
     dev: false
 
+  /dompurify@3.1.7:
+    resolution: {integrity: sha512-VaTstWtsneJY8xzy7DekmYWEOZcmzIe3Qb3zPd4STve1OBTa+e+WmS1ITQec1fZYXI3HCsOZZiSMpG6oxoWMWQ==}
+    dev: false
+
   /domutils@2.8.0:
     resolution: {integrity: sha512-w96Cjofp72M5IIhpjgobBimYEfoPjx1Vx0BSX9P30WBdZW2WIKU0T1Bd0kz2eNZ9ikjKgHbEyKx8BB6H1L3h3A==}
     dependencies: