From d3fcb159f958d41199ba7eaa99abea7e969780c6 Mon Sep 17 00:00:00 2001
From: yuyx <237899745@qq.com>
Date: Sun, 30 Nov 2025 15:27:59 +0800
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20=E4=BF=AE=E5=A4=8D=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E5=90=8D=E5=8C=85=E5=90=AB=E5=8F=8D=E5=BC=95=E5=8F=B7?=
 =?UTF-8?q?=E6=97=B6=E5=8F=98=E6=88=90undefined=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 从sanitizeInput正则表达式中移除反引号
- 之前map中没有反引号映射导致返回undefined

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 backend/server.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/server.js b/backend/server.js
index 66e78e5..f1d8832 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -198,9 +198,9 @@ app.use((req, res, next) => {
 function sanitizeInput(str) {
   if (typeof str !== 'string') return str;
 
-  // 1. 基础HTML实体转义（不包括 / 因为是路径分隔符）
+  // 1. 基础HTML实体转义（不包括 / 因为是路径分隔符，不包括 ` 因为是合法文件名字符）
   let sanitized = str
-    .replace(/[&<>"'`]/g, (char) => {
+    .replace(/[&<>"']/g, (char) => {
       const map = {
         '&': '&amp;',
         '<': '&lt;',