fix: custom menu security hardening and code quality improvements

- Add admin menu permission check in CustomPageView (visibility + role) - Sanitize SVG content with DOMPurify before v-html rendering (XSS prevention) - Decouple router.go from dto package using anonymous struct - Consolidate duplicate parseCustomMenuItems into dto.ParseCustomMenuItems - Enhance menu item validation (count, length, ID uniqueness limits) - Add audit logging for purchase_subscription and custom_menu_items changes - Update API contract test to include custom_menu_items field Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-05 16:00:21 +08:00 · 2026-03-03 02:18:19 +08:00
parent e4f8799323
commit bf6fe5e962
8 changed files with 133 additions and 82 deletions
--- a/frontend/src/utils/sanitize.ts
+++ b/frontend/src/utils/sanitize.ts
@@ -0,0 +1,6 @@
+import DOMPurify from 'dompurify'
+
+export function sanitizeSvg(svg: string): string {
+  if (!svg) return ''
+  return DOMPurify.sanitize(svg, { USE_PROFILES: { svg: true, svgFilters: true } })
+}