Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: add danger of xss #146

Closed
wants to merge 3 commits into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions zh-CN/guide/basic/command.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ ctx.command('echo <message>')

这种链式的结构能够让我们非常方便地定义和扩展指令。稍后我们将看到这两个函数的更多用法,以及更多指令相关的函数。

::: danger
在插件中动态引用来自用户输入的[消息元素](./element.html)是非常危险的,因为它很容易导致 [XSS 攻击](https://zh.wikipedia.org/wiki/%E8%B7%A8%E7%B6%B2%E7%AB%99%E6%8C%87%E4%BB%A4%E7%A2%BC)。**绝不要**直接将用户提供的内容作为插值并返回

在默认情况下,Koishi 会对用户输入内容(例如上述的 `message` 参数)进行转义以确保其安全性。但是使用了例如解码内容方式会导致输入内容绕过了 Koishi 的转义,如需必要,请自行控制并[转义](/zh-CN/api/message/api.html#h-escape)来自用户的内容
:::

## 定义参数

正如你在上面所见的那样,使用 `ctx.command(decl)` 方法可以定义一个指令,其中 `decl` 是一个字符串,包含了 **指令名** 和 **参数列表**。
Expand Down