slvccans/ST-Amily2-Chat-Optimisation-SecFix
1
0
Fork 0
mirror of https://github.com/SilenceLurker/ST-Amily2-Chat-Optimisation.git synced 2026-06-06 17:05:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security Update

Browse Source
This commit is contained in:
SilenceLurker
2025-12-24 22:14:07 +08:00
parent bbaff73f9b
commit e66d7b31cf
2 changed files with 23 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
core/tavern-helper/renderer.js
View File

@@ -565,11 +565,11 @@ function renderHtmlInIframe(htmlContent, container, preElement) {
iframe.setAttribute('frameborder', '0');
iframe.setAttribute('scrolling', 'no');
iframe.loading = 'eager';
if (settings.sandboxMode) {
iframe.setAttribute('sandbox', 'allow-scripts allow-modals');
} else {
iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin allow-forms allow-modals allow-popups');
}
// 始终使用严格的沙箱策略,移除 allow-same-origin 以防止XSS攻击。
// 仅允许脚本、表单、弹窗和模态框。
// allow-popups-to-escape-sandbox 允许弹窗(如新标签页)摆脱沙箱限制,这对于外部链接是必要的。
// allow-downloads 允许文件下载。
iframe.setAttribute('sandbox', 'allow-scripts allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-downloads');
if (needsVh) {
iframe.dataset.needsVh = 'true';