refine background settings validation and safety

Co-authored-by: Sunwuyuan <88357633+Sunwuyuan@users.noreply.github.com>
2026-02-04 16:03:10 +00:00 · 2025-12-29 10:24:06 +00:00 · 2025-12-29 10:24:06 +00:00 · 2b411a13ca
commit 2b411a13ca
parent 261df398b4
2 changed files with 30 additions and 5 deletions
--- a/src/pages/index.vue
+++ b/src/pages/index.vue
@ -688,11 +688,11 @@ export default {
    },
    backgroundImageStyle() {
      const url = this.backgroundImageUrl;
-      if (!url) return { display: "none" };
+      if (!this.isSafeBackgroundUrl(url)) return { display: "none" };

      const blur = Math.min(Math.max(this.backgroundBlurAmount, 0), 50);
      return {
-        backgroundImage: `url("${url}")`,
+        backgroundImage: `url("${this.sanitizeBackgroundUrl(url)}")`,
        filter: `blur(${blur}px)`,
      };
    },
@ -700,8 +700,10 @@ export default {
      if (!this.hasBackgroundImage) return { display: "none" };

      const dim = Math.min(Math.max(this.backgroundDimAmount, 0), 100);
+      const overlayBlur = Math.min(Math.max(this.backgroundBlurAmount, 0), 50) / 3;
      return {
        backgroundColor: `rgba(0, 0, 0, ${dim / 100})`,
+        backdropFilter: `blur(${overlayBlur}px)`,
      };
    },
    sortedItems() {
@ -2203,6 +2205,30 @@ export default {

      return nameMap[lastPart] || lastPart;
    },
+    isSafeBackgroundUrl(url) {
+      if (!url) return false;
+      const trimmed = url.trim();
+      if (trimmed.toLowerCase().startsWith("javascript:")) return false;
+
+      try {
+        const parsed = new URL(trimmed, window.location.origin);
+        const protocol = parsed.protocol.replace(":", "");
+        if (["http", "https", "data", "blob"].includes(protocol)) return true;
+      } catch (e) {
+        // Allow relative paths
+        if (
+          trimmed.startsWith("/") ||
+          trimmed.startsWith("./") ||
+          trimmed.startsWith("../")
+        ) {
+          return true;
+        }
+      }
+      return false;
+    },
+    sanitizeBackgroundUrl(url) {
+      return url.replace(/["'()]/g, "");
+    },

    safeBase64Decode(base64String) {
      try {
@ -2414,10 +2440,9 @@ export default {
 }

 .home-background {
-  transform: scale(1.04);
+  transform: scale(1.02);
 }

 .home-background-overlay {
-  backdrop-filter: blur(2px);
 }
 </style>
--- a/src/utils/settings.js
+++ b/src/utils/settings.js
@ -156,7 +156,7 @@ const settingsDefinitions = {
  "display.backgroundBlur": {
    type: "number",
    default: 12,
-    validate: (value) => value >= 0 && value <= 30,
+    validate: (value) => value >= 0 && value <= 50,
    description: "背景模糊强度",
    icon: "mdi-blur",
  },