fix: change innerHTML to trustedHTML

2025-10-14 23:36:28 +08:00
parent 2de10364f3
commit 9cdcf616f7
2 changed files with 24 additions and 2 deletions
--- a/src/common.js
+++ b/src/common.js
@@ -127,7 +127,7 @@ function showErr(message) {
  });

  const closeButton = document.createElement("span");
-  closeButton.innerHTML = "&times;";
+  closeButton.textContent = "×";

  Object.assign(closeButton.style, {
    position: "absolute",
--- a/src/libs/translator.js
+++ b/src/libs/translator.js
@@ -1021,10 +1021,19 @@ export class Translator {
        return;
      }

-      inner.innerHTML = this.#restoreFromTranslation(
+      const htmlString = this.#restoreFromTranslation(
        translatedText,
        placeholderMap
      );
+      const trustedHTML = this.#createTrustedHTML(htmlString);
+
+      // const parser = new DOMParser();
+      // const doc = parser.parseFromString(trustedHTML, "text/html");
+      // const innerElement = doc.body.firstChild;
+      // inner.replaceChildren(innerElement);
+
+      inner.innerHTML = trustedHTML;
+
      this.#translationNodes.set(wrapper, {
        nodes,
        isHide: hideOrigin,
@@ -1067,6 +1076,19 @@ export class Translator {
    }
  }

+  #createTrustedHTML(html) {
+    if (window.trustedTypes && window.trustedTypes.createPolicy) {
+      const policy = window.trustedTypes.createPolicy(
+        "kiss-translator-policy#html",
+        {
+          createHTML: (input) => input,
+        }
+      );
+      return policy.createHTML(html);
+    }
+    return html;
+  }
+
  // 处理节点转为翻译字符串
  #serializeForTranslation(nodes) {
    let replaceCounter = 0; // {{n}}