From bed16067a0df0948394d9b4def275cdbf04b3903 Mon Sep 17 00:00:00 2001
From: mutoe <mutoe@foxmail.com>
Date: Sat, 26 Jan 2019 09:28:14 +0800
Subject: [PATCH] =?UTF-8?q?fix(SPA):=20=E8=BF=87=E6=BB=A4=20XSS?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 resources/spa/package.json   |  3 ++-
 resources/spa/src/filters.js | 17 +++--------------
 2 files changed, 5 insertions(+), 15 deletions(-)

diff --git a/resources/spa/package.json b/resources/spa/package.json
index 8227e78e2..6812e5b5e 100644
--- a/resources/spa/package.json
+++ b/resources/spa/package.json
@@ -32,7 +32,8 @@
     "vue": "^2.5.17",
     "vue-router": "^3.0.1",
     "vuex": "^3.0.1",
-    "weixin-js-sdk": "^1.3.3"
+    "weixin-js-sdk": "^1.3.3",
+    "xss": "^1.0.3"
   },
   "devDependencies": {
     "@vue/cli-plugin-babel": "^3.2.0",
diff --git a/resources/spa/src/filters.js b/resources/spa/src/filters.js
index a697033d5..62975c46f 100644
--- a/resources/spa/src/filters.js
+++ b/resources/spa/src/filters.js
@@ -1,4 +1,5 @@
 import plueMessageBundle from 'plus-message-bundle'
+import xss from 'xss'
 
 /**
  * ThinkSNS Plus 消息解析器，获取顶部消息.
@@ -21,20 +22,8 @@ export function plusMessageFirst (message, defaultMessage) {
  * @returns {string}
  */
 export function escapeHTML (value) {
-  if (typeof value !== 'string') {
-    return value
-  }
-  return value.replace(/[&<>`"'/]/g, function (result) {
-    return {
-      '&': '&amp;',
-      '<': '&lt;',
-      '>': '&gt;',
-      '`': '&#x60;',
-      '"': '&quot;',
-      "'": '&#x27;',
-      '/': '&#x2f;',
-    }[result]
-  })
+  const options = {}
+  return xss(value, options)
 }
 
 /**