fix: 修复安全问题 - 登录失败返回401 + XSS过滤

- 登录失败返回 HTTP 401 而非 200 - 添加 XSS 输入过滤工具函数 - 课程名称和描述字段添加 XSS 过滤验证器
2026-01-31 10:39:07 +08:00
parent 0b7c07eb7f
commit d59a4355a5
3 changed files with 179 additions and 10 deletions
--- a/backend/app/schemas/course.py
+++ b/backend/app/schemas/course.py
@@ -8,6 +8,7 @@ from enum import Enum
 from pydantic import BaseModel, Field, ConfigDict, field_validator

 from app.models.course import CourseStatus, CourseCategory
+from app.core.sanitize import sanitize_input


 class CourseBase(BaseModel):
@@ -26,6 +27,18 @@ class CourseBase(BaseModel):
    is_featured: bool = Field(default=False, description="是否推荐")
    allow_download: bool = Field(default=False, description="是否允许下载资料")

+    @field_validator("name", mode="before")
+    @classmethod
+    def sanitize_name(cls, v):
+        """清理课程名称中的XSS内容"""
+        return sanitize_input(v, strict=True) if v else v
+
+    @field_validator("description", mode="before")
+    @classmethod
+    def sanitize_description(cls, v):
+        """清理课程描述中的XSS内容"""
+        return sanitize_input(v, strict=False) if v else v
+
    @field_validator("category", mode="before")
    @classmethod
    def normalize_category(cls, v):
@@ -75,6 +88,18 @@ class CourseUpdate(BaseModel):
    is_featured: Optional[bool] = Field(None, description="是否推荐")
    allow_download: Optional[bool] = Field(None, description="是否允许下载资料")

+    @field_validator("name", mode="before")
+    @classmethod
+    def sanitize_name_update(cls, v):
+        """清理课程名称中的XSS内容"""
+        return sanitize_input(v, strict=True) if v else v
+
+    @field_validator("description", mode="before")
+    @classmethod
+    def sanitize_description_update(cls, v):
+        """清理课程描述中的XSS内容"""
+        return sanitize_input(v, strict=False) if v else v
+
    @field_validator("category", mode="before")
    @classmethod
    def normalize_category_update(cls, v):