fix: fixed bug for prompt code format, prevent xss attacks

2025-11-05 08:43:45 +08:00 · 2023-12-07 14:02:13 +08:00
parent 442e411cde
commit 8aec87cc02
6 changed files with 14 additions and 13 deletions
--- a/api/handler/chatimpl/azure_handler.go
+++ b/api/handler/chatimpl/azure_handler.go
@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"gorm.io/gorm"
+	"html/template"
 	"io"
 	"strings"
 	"time"
@@ -200,7 +201,7 @@ func (h *ChatHandler) sendAzureMessage(
 					RoleId:     role.Id,
 					Type:       types.PromptMsg,
 					Icon:       userVo.Avatar,
-					Content:    prompt,
+					Content:    template.HTMLEscapeString(prompt),
 					Tokens:     promptToken,
 					UseContext: useContext,
 				}
--- a/api/handler/chatimpl/baidu_handler.go
+++ b/api/handler/chatimpl/baidu_handler.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"html/template"
 	"io"
 	"net/http"
 	"strings"
@@ -156,7 +157,7 @@ func (h *ChatHandler) sendBaiduMessage(
 					RoleId:     role.Id,
 					Type:       types.PromptMsg,
 					Icon:       userVo.Avatar,
-					Content:    prompt,
+					Content:    template.HTMLEscapeString(prompt),
 					Tokens:     promptToken,
 					UseContext: true,
 				}
--- a/api/handler/chatimpl/chatglm_handler.go
+++ b/api/handler/chatimpl/chatglm_handler.go
@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"github.com/golang-jwt/jwt/v5"
+	"html/template"
 	"io"
 	"strings"
 	"time"
@@ -135,7 +136,7 @@ func (h *ChatHandler) sendChatGLMMessage(
 					RoleId:     role.Id,
 					Type:       types.PromptMsg,
 					Icon:       userVo.Avatar,
-					Content:    prompt,
+					Content:    template.HTMLEscapeString(prompt),
 					Tokens:     promptToken,
 					UseContext: true,
 				}
--- a/api/handler/chatimpl/openai_handler.go
+++ b/api/handler/chatimpl/openai_handler.go
@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"gorm.io/gorm"
+	"html/template"
 	"io"
 	"strings"
 	"time"
@@ -199,7 +200,7 @@ func (h *ChatHandler) sendOpenAiMessage(
 					RoleId:     role.Id,
 					Type:       types.PromptMsg,
 					Icon:       userVo.Avatar,
-					Content:    prompt,
+					Content:    template.HTMLEscapeString(prompt),
 					Tokens:     promptToken,
 					UseContext: useContext,
 				}
--- a/api/handler/chatimpl/xunfei_handler.go
+++ b/api/handler/chatimpl/xunfei_handler.go
@@ -12,6 +12,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"github.com/gorilla/websocket"
+	"html/template"
 	"io"
 	"net/http"
 	"net/url"
@@ -198,7 +199,7 @@ func (h *ChatHandler) sendXunFeiMessage(
 				RoleId:     role.Id,
 				Type:       types.PromptMsg,
 				Icon:       userVo.Avatar,
-				Content:    prompt,
+				Content:    template.HTMLEscapeString(prompt),
 				Tokens:     promptToken,
 				UseContext: true,
 			}