From ebfe1eceb997895bf63c66e45d2c1a39b9d18e08 Mon Sep 17 00:00:00 2001
From: huangxuan <huangxuan20@huawei.com>
Date: Tue, 2 Apr 2024 10:47:31 +0800
Subject: [PATCH] =?UTF-8?q?feat(core):=20=E9=99=90=E5=88=B6dangerouslySetI?=
 =?UTF-8?q?nnerHTML=20API=E7=94=9F=E6=95=88=E7=9A=84=E6=9D=A1=E4=BB=B6?=
 =?UTF-8?q?=EF=BC=8C=E5=87=8F=E5=B0=91XSS=E6=94=BB=E5=87=BB=E9=9D=A2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../inula/__tests__/DomTest/Attribute.test.js | 12 +++++++
 .../inula/src/dom/validators/ValidateProps.ts | 31 +++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/packages/inula/__tests__/DomTest/Attribute.test.js b/packages/inula/__tests__/DomTest/Attribute.test.js
index 27e5becb..a216bc5b 100644
--- a/packages/inula/__tests__/DomTest/Attribute.test.js
+++ b/packages/inula/__tests__/DomTest/Attribute.test.js
@@ -95,4 +95,16 @@ describe('Dom Attribute', () => {
       Inula.render(<div {...emptyStringProps} />, container);
     }).not.toThrow();
   });
+
+  it('dangerouslySetInnerHTML和children同时设置，只渲染children', () => {
+    Inula.act(() => {
+      Inula.render(
+        <div className="root" dangerouslySetInnerHTML={{ __html: '1234' }}>
+          123
+        </div>,
+        container
+      );
+    });
+    expect(container.innerHTML).toBe('<div class="root">123</div>');
+  });
 });
diff --git a/packages/inula/src/dom/validators/ValidateProps.ts b/packages/inula/src/dom/validators/ValidateProps.ts
index 2a6b27e1..18cf48c3 100644
--- a/packages/inula/src/dom/validators/ValidateProps.ts
+++ b/packages/inula/src/dom/validators/ValidateProps.ts
@@ -17,6 +17,25 @@ import { getPropDetails, PROPERTY_TYPE, PropDetails } from './PropertiesData';
 
 const INVALID_EVENT_NAME_REGEX = /^on[^A-Z]/;
 
+const voidTagElements = [
+  'area',
+  'base',
+  'br',
+  'col',
+  'embed',
+  'hr',
+  'img',
+  'input',
+  'keygen',
+  'link',
+  'meta',
+  'param',
+  'source',
+  'track',
+  'wbr',
+  'menuitem',
+];
+
 // 是内置元素
 export function isNativeElement(tagName: string, props: Record<string, any>) {
   return !tagName.includes('-') && props.is === undefined;
@@ -108,6 +127,18 @@ export function validateProps(type, props) {
     throw new Error('style should be a object.');
   }
 
+  // 对于没有children的元素，设置dangerouslySetInnerHTML不生效
+  if (voidTagElements.includes(type)) {
+    if (props.dangerouslySetInnerHTML != null) {
+      delete props.dangerouslySetInnerHTML;
+    }
+  }
+
+  // dangerouslySetInnerHTML和children同时设置，只渲染children
+  if (props.dangerouslySetInnerHTML != null && props.children != null) {
+    delete props.dangerouslySetInnerHTML;
+  }
+
   if (isDev) {
     // 校验属性
     const invalidProps = Object.keys(props).filter(key => !isValidProp(type, key, props[key]));