修复json()方法可能导致的xss攻击

PorygonCN · PorygonCN · commit 179977d58ac4 · 2024-10-24T10:24:19.000Z
diff --git a/src/Show/Field.php b/src/Show/Field.php
@@ -408,7 +408,13 @@ public function json()
 
         return $this->unescape()->as(function ($value) use ($field) {
             $content = is_string($value) ? json_decode($value, true) : $value;
-
+            if (is_array($content)) {
+                array_walk($content, function (&$v, $k) {
+                    $v = htmlspecialchars($v);
+                });
+            } else {
+                $content = htmlspecialchars($content);
+            }
             $field->wrap(false);
 
             return Dump::make($content);
