From 98982718c057d6862ac2f85717d8bff3f676cd03 Mon Sep 17 00:00:00 2001 From: shaohuzhang1 Date: Fri, 17 Apr 2026 14:59:37 +0800 Subject: [PATCH 1/2] fix: PDF preview of XSS attack --- apps/oss/serializers/file.py | 2 +- ui/env.d.ts | 1 + ui/package.json | 1 + .../ParagraphDocumentContent.vue | 402 +++++++++++++++++- 4 files changed, 398 insertions(+), 8 deletions(-) diff --git a/apps/oss/serializers/file.py b/apps/oss/serializers/file.py index 0515d9df61f..95b8205c410 100644 --- a/apps/oss/serializers/file.py +++ b/apps/oss/serializers/file.py @@ -123,7 +123,7 @@ def get(self, with_valid=True): # 对于非范围请求或其他类型文件,返回完整内容 headers = { 'Content-Type': content_type, - 'Content-Disposition': f'{"inline" if file_type == "pdf" else "attachment"}; filename={encoded_filename}' + 'Content-Disposition': f'"attachment"; filename={encoded_filename}' } return HttpResponse( file_bytes, diff --git a/ui/env.d.ts b/ui/env.d.ts index 9e940bf8210..78713959bb3 100644 --- a/ui/env.d.ts +++ b/ui/env.d.ts @@ -1,5 +1,6 @@ /// declare module 'katex' +declare module 'pdfjs-dist/build/pdf.mjs' interface Window { sendMessage: ?((message: string, other_params_data: any) => void) chatUserProfile: ?(() => any) diff --git a/ui/package.json b/ui/package.json index cb468636f27..31da1f66da4 100644 --- a/ui/package.json +++ b/ui/package.json @@ -44,6 +44,7 @@ "nanoid": "^5.1.5", "node-forge": "^1.3.1", "nprogress": "^0.2.0", + "pdfjs-dist": "^5.6.205", "pinia": "^3.0.1", "recorder-core": "^1.3.25011100", "sanitize-html": "^2.17.0", diff --git a/ui/src/components/ai-chat/component/knowledge-source-component/ParagraphDocumentContent.vue b/ui/src/components/ai-chat/component/knowledge-source-component/ParagraphDocumentContent.vue index ee87885d495..686f6712ed4 100644 --- a/ui/src/components/ai-chat/component/knowledge-source-component/ParagraphDocumentContent.vue +++ b/ui/src/components/ai-chat/component/knowledge-source-component/ParagraphDocumentContent.vue @@ -1,18 +1,406 @@ + + From 3170c55350f685e4dae7f237b3c845e2de6bb241 Mon Sep 17 00:00:00 2001 From: shaohuzhang1 Date: Fri, 17 Apr 2026 15:01:31 +0800 Subject: [PATCH 2/2] fix: PDF preview of XSS attack --- apps/oss/serializers/file.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/oss/serializers/file.py b/apps/oss/serializers/file.py index 95b8205c410..4e5b7b1f7b2 100644 --- a/apps/oss/serializers/file.py +++ b/apps/oss/serializers/file.py @@ -123,7 +123,7 @@ def get(self, with_valid=True): # 对于非范围请求或其他类型文件,返回完整内容 headers = { 'Content-Type': content_type, - 'Content-Disposition': f'"attachment"; filename={encoded_filename}' + 'Content-Disposition': f'attachment; filename={encoded_filename}' } return HttpResponse( file_bytes,