From 3b682767764860e830efaee50481b515efcfefc5 Mon Sep 17 00:00:00 2001
From: Codex Security Bot <codex-security-bot@example.com>
Date: Sun, 8 Mar 2026 07:59:46 +0000
Subject: [PATCH] security: remove unsafe html rendering in notice and metadata
 views

---
 .../cmdb/views/ci/modules/MetadataDrawer.vue   | 18 +++---------------
 cmdb-ui/src/views/noticeCenter/index.vue       |  2 +-
 2 files changed, 4 insertions(+), 16 deletions(-)

diff --git a/cmdb-ui/src/modules/cmdb/views/ci/modules/MetadataDrawer.vue b/cmdb-ui/src/modules/cmdb/views/ci/modules/MetadataDrawer.vue
index 709555e7..217de09b 100644
--- a/cmdb-ui/src/modules/cmdb/views/ci/modules/MetadataDrawer.vue
+++ b/cmdb-ui/src/modules/cmdb/views/ci/modules/MetadataDrawer.vue
@@ -56,14 +56,13 @@
                   { label: $t('no'), value: false },
                 ]
           "
-          type="html"
         >
           <template #default="{ row }">
             <span v-if="column.field !== 'name' && column.field !== 'alias' && column.field !== 'value_type'">
               <a-icon :style="{ color: '#1fb51f' }" type="check" v-if="row[column.field]" />
             </span>
-            <span v-else-if="column.field === 'value_type'" v-html="valueTypeMap[row.value_type]"> </span>
-            <span v-else v-html="row[column.field]"> </span>
+            <span v-else-if="column.field === 'value_type'">{{ valueTypeMap[row.value_type] }}</span>
+            <span v-else>{{ row[column.field] }}</span>
           </template>
         </vxe-column>
       </vxe-table>
@@ -196,9 +195,8 @@ export default {
         .trim()
         .toLowerCase()
       if (filterName) {
-        const filterRE = new RegExp(filterName, 'gi')
         const searchProps = ['name', 'alias', 'value_type']
-        const rest = this.tableData.filter((item) =>
+        this.list = this.tableData.filter((item) =>
           searchProps.some(
             (key) =>
               XEUtils.toValueString(item[key])
@@ -206,16 +204,6 @@ export default {
                 .indexOf(filterName) > -1
           )
         )
-        this.list = rest.map((row) => {
-          const item = Object.assign({}, row)
-          searchProps.forEach((key) => {
-            item[key] = XEUtils.toValueString(item[key]).replace(
-              filterRE,
-              (match) => `<span style='background: yellow'>${match}</span>`
-            )
-          })
-          return item
-        })
       } else {
         this.list = this.tableData
       }
diff --git a/cmdb-ui/src/views/noticeCenter/index.vue b/cmdb-ui/src/views/noticeCenter/index.vue
index 28c15279..a7b211e7 100644
--- a/cmdb-ui/src/views/noticeCenter/index.vue
+++ b/cmdb-ui/src/views/noticeCenter/index.vue
@@ -85,7 +85,7 @@
         <vxe-column type="checkbox" width="60px"></vxe-column>
         <vxe-column field="content" title="标题内容">
           <template #default="{row}">
-            <span v-html="row.content"></span>
+            <span>{{ row.content }}</span>
           </template>
         </vxe-column>
         <vxe-column field="created_at" title="提交时间" width="150px">