fix(notice): 修复通知内容显示安全问题并更新支付接口URL配置

- 移除DetailView.vue中的v-html指令，改用安全的内容显示方式 - 添加safeContent计算属性过滤HTML标签防止XSS攻击 - 在HeaderNotice/index.vue中移除v-html避免潜在安全风险 - 将硬编码的支付接口URL替换为环境变量VITE_PAYMENT_URL - 统一多个页面中的医保插件调用地址配置为动态环境变量 - 确保所有通知内容展示都经过安全处理避免恶意脚本注入
2026-06-18 21:25:15 +08:00
parent d4eae894b2
commit 3d977d0a2d
9 changed files with 18 additions and 16 deletions
--- a/healthlink-his-ui/src/layout/components/HeaderNotice/DetailView.vue
+++ b/healthlink-his-ui/src/layout/components/HeaderNotice/DetailView.vue
@@ -70,11 +70,10 @@
        </div>

        <div class="notice-body">
-          <div
-            v-if="hasContent"
-            class="notice-content"
-            v-html="detail.noticeContent"
-          />
+        <div
+          v-if="hasContent"
+          class="notice-content"
+        >{{ safeContent }}</div>
          <div
            v-else
            class="notice-empty notice-empty--inner"
@@ -103,6 +102,10 @@ const hasContent = computed(() => {
  const content = detail.value && detail.value.noticeContent
  return content != null && String(content).trim() !== ''
 })
+const safeContent = computed(() => {
+  const content = detail.value && detail.value.noticeContent
+  return content ? String(content).replace(/<[^>]*>/g, '') : ''
+})

 function open(payload) {
  let id = null
--- a/healthlink-his-ui/src/layout/components/HeaderNotice/index.vue
+++ b/healthlink-his-ui/src/layout/components/HeaderNotice/index.vue
@@ -173,10 +173,9 @@
          max-height="320px"
          class="detail-body-scroll"
        >
-          <div
-            class="detail-body"
-            v-html="activeNotice.noticeContent"
-          />
+          <div class="detail-body">
+            {{ activeNotice.noticeContent }}
+          </div>
        </el-scrollbar>
      </div>

--- a/healthlink-his-ui/src/views/charge/cliniccharge/index.vue
+++ b/healthlink-his-ui/src/views/charge/cliniccharge/index.vue
@@ -556,7 +556,7 @@ async function handleReadCard(value) {
        // readCardLoading.value = true;
        await invokeYbPlugin5000({
          FunctionId: 3,
-          url: 'http://10.47.0.67:8089/localcfc/api/hsecfc/localQrCodeQuery',
+          url: `${import.meta.env.VITE_PAYMENT_URL}/localcfc/api/hsecfc/localQrCodeQuery`,
          orgId: 'H22010200672',
          businessType: '01101',
          operatorId: userStore.id.toString(),
--- a/healthlink-his-ui/src/views/charge/outpatientregistration/index.vue
+++ b/healthlink-his-ui/src/views/charge/outpatientregistration/index.vue
@@ -1328,7 +1328,7 @@ async function handleReadCard(value) {
        //   )
        await invokeYbPlugin5000({
          FunctionId: 3,
-          url: 'http://10.47.0.67:8089/localcfc/api/hsecfc/localQrCodeQuery',
+          url: `${import.meta.env.VITE_PAYMENT_URL}/localcfc/api/hsecfc/localQrCodeQuery`,
          orgId: 'H22010402403',
          businessType: '01101',
          operatorId: userStore.id.toString(),
--- a/healthlink-his-ui/src/views/charge/surgerycharge/index.vue
+++ b/healthlink-his-ui/src/views/charge/surgerycharge/index.vue
@@ -410,7 +410,7 @@ async function handleReadCard(value) {
      case '01': // 电子凭证
        await invokeYbPlugin5000({
          FunctionId: 3,
-          url: 'http://10.47.0.67:8089/localcfc/api/hsecfc/localQrCodeQuery',
+          url: `${import.meta.env.VITE_PAYMENT_URL}/localcfc/api/hsecfc/localQrCodeQuery`,
          orgId: 'H22010200672',
          businessType: '01101',
          operatorId: userStore.id.toString(),
--- a/healthlink-his-ui/src/views/inHospitalManagement/charge/feeSettlement/index.vue
+++ b/healthlink-his-ui/src/views/inHospitalManagement/charge/feeSettlement/index.vue
@@ -668,7 +668,7 @@ async function handleReadCard(value) {
        // readCardLoading.value = true;
        await invokeYbPlugin5001({
          FunctionId: 3,
-          url: 'http://10.47.0.67:8089/localcfc/api/hsecfc/localQrCodeQuery',
+          url: `${import.meta.env.VITE_PAYMENT_URL}/localcfc/api/hsecfc/localQrCodeQuery`,
          orgId: 'H22010200672',
          businessType: '01101',
          operatorId: userStore.id.toString(),
--- a/healthlink-his-ui/src/views/inHospitalManagement/charge/register/components/patientInfo.vue
+++ b/healthlink-his-ui/src/views/inHospitalManagement/charge/register/components/patientInfo.vue
@@ -466,7 +466,7 @@ async function handleReadCard(value) {
        //   )
        await invokeYbPlugin5001({
          FunctionId: 3,
-          url: 'http://10.47.0.67:8089/localcfc/api/hsecfc/localQrCodeQuery',
+          url: `${import.meta.env.VITE_PAYMENT_URL}/localcfc/api/hsecfc/localQrCodeQuery`,
          orgId: 'H22010200672',
          businessType: '01101',
          operatorId: userStore.id.toString(),
--- a/healthlink-his-ui/src/views/ybmanagement/inhospital/register/components/patientInfo.vue
+++ b/healthlink-his-ui/src/views/ybmanagement/inhospital/register/components/patientInfo.vue
@@ -429,7 +429,7 @@ async function handleReadCard(value) {
          // readCardLoading.value = true;
          await boundAsync
            .getInfoByQrCodeAsync(
-              'http://10.47.0.67:8089/localcfc/api/hsecfc/localQrCodeQuery',
+              `${import.meta.env.VITE_PAYMENT_URL}/localcfc/api/hsecfc/localQrCodeQuery`,
              'H22010200672',
              '01101',
              userStore.id,
--- a/healthlink-his-ui/src/views/ybmanagement/inhospital/register/components/registerEdit.vue
+++ b/healthlink-his-ui/src/views/ybmanagement/inhospital/register/components/registerEdit.vue
@@ -408,7 +408,7 @@ async function handleReadCard(value) {
      case '01': // 电子凭证
        await invokeYbPlugin5001({
          FunctionId: 3,
-          url: 'http://10.47.0.67:8089/localcfc/api/hsecfc/localQrCodeQuery',
+          url: `${import.meta.env.VITE_PAYMENT_URL}/localcfc/api/hsecfc/localQrCodeQuery`,
          orgId: 'H22010200672',
          businessType: '01101',
          operatorId: userStore.id.toString(),