From b1787b207d7e44000ad18e3f78be7dfffd97048b Mon Sep 17 00:00:00 2001
From: InfinityPacer <160988576+InfinityPacer@users.noreply.github.com>
Date: Thu, 18 Jun 2026 19:30:24 +0800
Subject: [PATCH] fix(plugin): sanitize version history markdown (#496)

---
 src/components/dialog/PluginVersionHistoryDialog.vue | 2 +-
 src/components/misc/VersionHistory.vue               | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/components/dialog/PluginVersionHistoryDialog.vue b/src/components/dialog/PluginVersionHistoryDialog.vue
index 900fb0e0..0e1bcbf7 100644
--- a/src/components/dialog/PluginVersionHistoryDialog.vue
+++ b/src/components/dialog/PluginVersionHistoryDialog.vue
@@ -137,7 +137,7 @@ async function loadPluginHistory() {
 }
 
 async function loadPluginReleases(plugin: Plugin | null | undefined = resolvedPlugin.value, force = false) {
-  if (!plugin?.id || !plugin?.repo_url || !plugin.release) {
+  if (!plugin?.id || !plugin?.repo_url || !plugin?.release) {
     releaseDetail.value = null
     releaseError.value = ''
     return
diff --git a/src/components/misc/VersionHistory.vue b/src/components/misc/VersionHistory.vue
index c7528d4a..1217691c 100644
--- a/src/components/misc/VersionHistory.vue
+++ b/src/components/misc/VersionHistory.vue
@@ -3,9 +3,9 @@ import type { PropType } from 'vue'
 import MarkdownIt from 'markdown-it'
 import mdLinkAttributes from 'markdown-it-link-attributes'
 
-// 初始化 markdown-it
+// 版本历史可能来自插件市场或 Release 内容，禁止透传原始 HTML，避免外部内容注入脚本或事件属性。
 const md = new MarkdownIt({
-  html: true,
+  html: false,
   linkify: true,
   typographer: true,
 })