fix(plugin): sanitize version history markdown (#496)

2026-06-22 08:03:45 +08:00 · 2026-06-18 19:30:24 +08:00
parent fdb34732cc
commit b1787b207d
2 changed files with 3 additions and 3 deletions
--- a/src/components/dialog/PluginVersionHistoryDialog.vue
+++ b/src/components/dialog/PluginVersionHistoryDialog.vue
@@ -137,7 +137,7 @@ async function loadPluginHistory() {
 }

 async function loadPluginReleases(plugin: Plugin | null | undefined = resolvedPlugin.value, force = false) {
-  if (!plugin?.id || !plugin?.repo_url || !plugin.release) {
+  if (!plugin?.id || !plugin?.repo_url || !plugin?.release) {
    releaseDetail.value = null
    releaseError.value = ''
    return
--- a/src/components/misc/VersionHistory.vue
+++ b/src/components/misc/VersionHistory.vue
@@ -3,9 +3,9 @@ import type { PropType } from 'vue'
 import MarkdownIt from 'markdown-it'
 import mdLinkAttributes from 'markdown-it-link-attributes'

-// 初始化 markdown-it
+// 版本历史可能来自插件市场或 Release 内容，禁止透传原始 HTML，避免外部内容注入脚本或事件属性。
 const md = new MarkdownIt({
-  html: true,
+  html: false,
  linkify: true,
  typographer: true,
 })