From 1943fea2e669745cba27e7602166d5476b85417e Mon Sep 17 00:00:00 2001
From: yuyx <237899745@qq.com>
Date: Tue, 25 Nov 2025 11:44:51 +0800
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20=E4=BF=AE=E5=A4=8D=E6=9C=AC?=
 =?UTF-8?q?=E5=9C=B0=E5=AD=98=E5=82=A8=E6=96=87=E4=BB=B6=E5=88=A0=E9=99=A4?=
 =?UTF-8?q?=E5=A4=B1=E8=B4=A5=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

问题：sanitizeInput 函数将 / 转义为 &#x2F;，导致文件路径错误
修复：从 XSS 过滤中移除对 / 的转义，因为它是路径分隔符的合法字符

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 backend/server.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/server.js b/backend/server.js
index c378ebf..7c75fa4 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -162,19 +162,19 @@ app.use((req, res, next) => {
 });
 
 // XSS过滤中间件（用于用户输入）- 增强版
+// 注意：不转义 / 因为它是文件路径的合法字符
 function sanitizeInput(str) {
   if (typeof str !== 'string') return str;
 
-  // 1. 基础HTML实体转义
+  // 1. 基础HTML实体转义（不包括 / 因为是路径分隔符）
   let sanitized = str
-    .replace(/[&<>"'\/`]/g, (char) => {
+    .replace(/[&<>"'`]/g, (char) => {
       const map = {
         '&': '&amp;',
         '<': '&lt;',
         '>': '&gt;',
         '"': '&quot;',
         "'": '&#x27;',
-        '/': '&#x2F;',
         '`': '&#x60;'
       };
       return map[char];