1 年之前 · f72d64eb8a
--- a/utils/common.go
+++ b/utils/common.go
@@ -2301,7 +2301,8 @@ func GetColorMap() map[int]string {
 
				 
			
 
				 // 检查src属性是否以http或data:image开头
			
 
				 func isValidSrc(src string) bool {
			
 
				-	validSchemes := regexp.MustCompile(`^(http|https|data:image)/`)
			
 
				+	validSchemes := regexp.MustCompile(`^(http|https|data:image):[\w\./?%&=]*$`)
			
 
				+	fmt.Println(validSchemes.MatchString(src))
			
 
				 	return validSchemes.MatchString(src)
			
 
				 }
			
 
				 
			
@@ -2323,9 +2324,8 @@ func ContentXssFilter(content string) (err error) {
 
				 			case "script", "javascript":
			
 
				 				err = fmt.Errorf(" script is forbidden")
			
 
				 				return
			
 
				-			case "img", "input", "iframe":
			
 
				-				// 查找并过滤src属性
			
 
				-				for _, attr := range n.Attr {
			
 
				+			default:
			
 
				+				for _, attr := range n.Attr { //判断事件
			
 
				 					lowerKey := strings.ToLower(attr.Key)
			
 
				 					if lowerKey == "src" {
			
 
				 						if !isValidSrc(attr.Val) {
			
@@ -2333,10 +2333,6 @@ func ContentXssFilter(content string) (err error) {
 
				 							return
			
 
				 						}
			
 
				 					}
			
 
				-				}
			
 
				-			default:
			
 
				-				for _, attr := range n.Attr { //判断事件
			
 
				-					lowerKey := strings.ToLower(attr.Key)
			
 
				 					if lowerKey == "onmouseover" || lowerKey == "onclick" || lowerKey == "onerror" {
			
 
				 						err = fmt.Errorf("the event is forbidden: %s:%s", attr.Key, attr.Val)
			
 
				 						return