From f01528d4a9bc1471faef82d8953c0f3ed3dfb3de Mon Sep 17 00:00:00 2001
From: harrywan <harrywan@webank.com>
Date: Wed, 16 Oct 2024 16:06:00 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E4=BF=AE=E5=A4=8Dxss=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 packages/fes-plugin-layout/package.json              |  1 +
 .../fes-plugin-layout/src/runtime/helpers/svg.js     |  4 +++-
 .../fes-plugin-layout/src/runtime/views/MenuIcon.vue | 12 +++++++-----
 packages/fes-template/src/app.jsx                    |  2 +-
 pnpm-lock.yaml                                       |  7 +++++++
 5 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/packages/fes-plugin-layout/package.json b/packages/fes-plugin-layout/package.json
index 4b312200..fd9e83dc 100644
--- a/packages/fes-plugin-layout/package.json
+++ b/packages/fes-plugin-layout/package.json
@@ -30,6 +30,7 @@
     "peerDependencies": {
         "@fesjs/fes": "^3.1.13",
         "@fesjs/fes-design": ">=0.7.0",
+        "dompurify": "^3.1.7",
         "vue": "^3.2.47",
         "vue-router": "^4.0.1"
     },
diff --git a/packages/fes-plugin-layout/src/runtime/helpers/svg.js b/packages/fes-plugin-layout/src/runtime/helpers/svg.js
index 54ea0491..e2109569 100644
--- a/packages/fes-plugin-layout/src/runtime/helpers/svg.js
+++ b/packages/fes-plugin-layout/src/runtime/helpers/svg.js
@@ -1,3 +1,5 @@
+import DOMPurify from 'dompurify';
+
 const isStr = function (str) {
     return typeof str === 'string';
 };
@@ -26,7 +28,7 @@ export function isValid(elm) {
 
 export function validateContent(svgContent) {
     const div = document.createElement('div');
-    div.innerHTML = svgContent;
+    div.innerHTML = DOMPurify.sanitize(svgContent);
 
     // setup this way to ensure it works on our buddy IE
     for (let i = div.childNodes.length - 1; i >= 0; i--) {
diff --git a/packages/fes-plugin-layout/src/runtime/views/MenuIcon.vue b/packages/fes-plugin-layout/src/runtime/views/MenuIcon.vue
index eef3800c..a6320418 100644
--- a/packages/fes-plugin-layout/src/runtime/views/MenuIcon.vue
+++ b/packages/fes-plugin-layout/src/runtime/views/MenuIcon.vue
@@ -1,11 +1,11 @@
 <script lang="jsx">
-import { ref, onBeforeMount, isVNode } from 'vue';
-// eslint-disable-next-line import/extensions
+import { isVNode, onBeforeMount, ref } from 'vue';
+
 import Icons from '../icons';
 import { validateContent } from '../helpers/svg';
 
 const urlReg = /^((https?|ftp|file):\/\/)?([\da-z.-]+)\.([a-z.]{2,6})([/\w .-]*)*\/?$/;
-const isUrlResource = (name) => urlReg.test(name) || name.includes('.svg');
+const isUrlResource = name => urlReg.test(name) || name.includes('.svg');
 
 export default {
     props: {
@@ -25,7 +25,8 @@ export default {
                             });
                         }
                     });
-                } else {
+                }
+                else {
                     AIconComponent.value = Icons[props.icon];
                 }
             }
@@ -39,13 +40,14 @@ export default {
                 return <AIconComponent.value />;
             }
             if (AText.value) {
-                return <span class={'fes-layout-icon'} innerHTML={AText.value}></span>;
+                return <span class="fes-layout-icon" innerHTML={AText.value}></span>;
             }
             return null;
         };
     },
 };
 </script>
+
 <style>
 .fes-layout-icon {
     display: inline-block;
diff --git a/packages/fes-template/src/app.jsx b/packages/fes-template/src/app.jsx
index e298ca39..9e7ee8b2 100644
--- a/packages/fes-template/src/app.jsx
+++ b/packages/fes-template/src/app.jsx
@@ -9,7 +9,7 @@ export const beforeRender = {
         const { setRole, getRole } = accessApi;
         return new Promise((resolve) => {
             setTimeout(() => {
-                setRole('menuTest');
+                setRole('admin');
                 resolve({
                     userName: '李雷',
                 });
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index dc0afd76..30c6ce01 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -441,6 +441,9 @@ importers:
       '@vueuse/core':
         specifier: ^10.7.0
         version: 10.7.0(vue@3.3.4)
+      dompurify:
+        specifier: ^3.1.7
+        version: 3.1.7
       vue:
         specifier: ^3.2.47
         version: 3.3.4
@@ -6980,6 +6983,10 @@ packages:
       domelementtype: 2.3.0
     dev: false
 
+  /dompurify@3.1.7:
+    resolution: {integrity: sha512-VaTstWtsneJY8xzy7DekmYWEOZcmzIe3Qb3zPd4STve1OBTa+e+WmS1ITQec1fZYXI3HCsOZZiSMpG6oxoWMWQ==}
+    dev: false
+
   /domutils@2.8.0:
     resolution: {integrity: sha512-w96Cjofp72M5IIhpjgobBimYEfoPjx1Vx0BSX9P30WBdZW2WIKU0T1Bd0kz2eNZ9ikjKgHbEyKx8BB6H1L3h3A==}
     dependencies: