修复json()方法可能导致的xss攻击

jqhph · Oct 24, 2024 · 179977d · 179977d
1 parent fc66b3a
commit 179977d
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/Show/Field.php b/src/Show/Field.php
@@ -408,7 +408,13 @@ public function json()
 
         return $this->unescape()->as(function ($value) use ($field) {
             $content = is_string($value) ? json_decode($value, true) : $value;
-
+            if (is_array($content)) {
+                array_walk($content, function (&$v, $k) {
+                    $v = htmlspecialchars($v);
+                });
+            } else {
+                $content = htmlspecialchars($content);
+            }
             $field->wrap(false);
 
             return Dump::make($content);