修复安全边界问题
This commit is contained in:
CN-JS-HuiBai
@@ -14,6 +14,12 @@
|
||||
(function () {
|
||||
const savedTheme = localStorage.getItem('theme');
|
||||
const settings = window.SITE_SETTINGS || {};
|
||||
const sanitizeAssetUrl = (url) => {
|
||||
if (!url || typeof url !== 'string') return null;
|
||||
const trimmed = url.trim();
|
||||
if (!trimmed) return null;
|
||||
return /^(https?:|data:image\/|\/)/i.test(trimmed) ? trimmed : null;
|
||||
};
|
||||
const defaultTheme = settings.default_theme || 'dark';
|
||||
let theme = savedTheme || defaultTheme;
|
||||
|
||||
@@ -30,9 +36,10 @@
|
||||
document.title = settings.page_name;
|
||||
}
|
||||
|
||||
if (settings.favicon_url) {
|
||||
const safeFaviconUrl = sanitizeAssetUrl(settings.favicon_url);
|
||||
if (safeFaviconUrl) {
|
||||
const link = document.getElementById('siteFavicon');
|
||||
if (link) link.href = settings.favicon_url;
|
||||
if (link) link.href = safeFaviconUrl;
|
||||
}
|
||||
|
||||
// Advanced Anti-Flicker: Wait for header elements to appear
|
||||
@@ -51,9 +58,13 @@
|
||||
|
||||
if (logoIcon) {
|
||||
const actualTheme = document.documentElement.classList.contains('light-theme') ? 'light' : 'dark';
|
||||
const logoToUse = (actualTheme === 'dark' && settings.logo_url_dark) ? settings.logo_url_dark : (settings.logo_url || null);
|
||||
const logoToUse = sanitizeAssetUrl((actualTheme === 'dark' && settings.logo_url_dark) ? settings.logo_url_dark : (settings.logo_url || null));
|
||||
if (logoToUse) {
|
||||
logoIcon.innerHTML = '<img src="' + logoToUse + '" alt="Logo" class="logo-icon-img">';
|
||||
const img = document.createElement('img');
|
||||
img.src = logoToUse;
|
||||
img.alt = 'Logo';
|
||||
img.className = 'logo-icon-img';
|
||||
logoIcon.replaceChildren(img);
|
||||
} else {
|
||||
// Only if we REALLY have no logo URL, we show the default SVG fallback
|
||||
// (But since it's already in HTML, we just don't touch it or we show it if we hid it)
|
||||
|
||||
Reference in New Issue
Block a user