We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@nutui/nutui-taro
4.1.4
weapp
https://nutui.jd.com/playground/#eyJBcHAudnVlIjoiPHNjcmlwdCBzZXR1cCBsYW5nPVwidHNcIj5cbmltcG9ydCB7IHNob3dUb2FzdCB9IGZyb20gJ0BudXR1aS9udXR1aSdcbmltcG9ydCB7IERvbmdkb25nIH0gZnJvbSAnQG51dHVpL2ljb25zLXZ1ZSdcbmNvbnN0IHNob3cgPSAoKSA9PiB7XG4gIHNob3dUb2FzdC50ZXh0KCdIZWxsbywgTnV0VUkhJylcbn07XG48L3NjcmlwdD5cbjx0ZW1wbGF0ZT5cbiAgPG51dC1lbXB0eSAgZGVzY3JpcHRpb249XCLmmoLml6DlhoXlrrlcIiA+PC9udXQtZW1wdHk+XG48L3RlbXBsYXRlPiJ9
运行 taro build --type weapp 后,打开文件dist/taro.js,里面有多个外链
taro build --type weapp
dist/taro.js
清除组件nut-empty里的三个默认外链,清除taro.com的外链
nut-empty
taro.com
外链都存在
👽 Taro v3.6.27
Taro CLI 3.6.27 environment info: System: OS: Windows 11 10.0.22631 Binaries: Node: 20.11.1 - C:\Program Files\nodejs\node.EXE npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD npmPackages: @tarojs/cli: 3.6.8 => 3.6.8 @tarojs/components: 3.6.8 => 3.6.8 @tarojs/helper: 3.6.8 => 3.6.8 @tarojs/plugin-framework-vue3: 3.6.8 => 3.6.8 @tarojs/plugin-html: 3.6.8 => 3.6.8 @tarojs/plugin-platform-alipay: 3.6.8 => 3.6.8 @tarojs/plugin-platform-h5: 3.6.8 => 3.6.8 @tarojs/plugin-platform-jd: 3.6.8 => 3.6.8 @tarojs/plugin-platform-qq: 3.6.8 => 3.6.8 @tarojs/plugin-platform-swan: 3.6.8 => 3.6.8 @tarojs/plugin-platform-tt: 3.6.8 => 3.6.8 @tarojs/plugin-platform-weapp: 3.6.8 => 3.6.8 @tarojs/runtime: 3.6.8 => 3.6.8 @tarojs/shared: 3.6.8 => 3.6.8 @tarojs/taro: 3.6.8 => 3.6.8 @tarojs/taro-loader: 3.6.8 => 3.6.8 @tarojs/webpack5-runner: 3.6.8 => 3.6.8 babel-preset-taro: 3.6.8 => 3.6.8 eslint-config-taro: 3.6.8 => 3.6.8
我用taro nutui开发一个小程序,上线后安全公司扫描小程序后得出了几个安全漏洞。 一个是通过https://taro.com和https://ftcms.jd.com的外部链接扫描出了ThinkPHP 5.x的多个漏洞,这在我的系统里是完全用不上的,只是taro build完后才出现的链接。 另一个则比较让人费解,检测小程序使用硬编码的加密密钥,请问nutui开发人员,是否有使用这种风险代码?
The text was updated successfully, but these errors were encountered:
1、如果有外链检测要求,建议不使用 Empty 组件。在按需引入方式下不会被打包进产物中。 2、taro.com 相关链接与 NutUI 无关,需要到对应的社区反馈。
Sorry, something went wrong.
No branches or pull requests
NutUI 包名
@nutui/nutui-taro
NutUI 版本号
4.1.4
平台
weapp
重现链接
https://nutui.jd.com/playground/#eyJBcHAudnVlIjoiPHNjcmlwdCBzZXR1cCBsYW5nPVwidHNcIj5cbmltcG9ydCB7IHNob3dUb2FzdCB9IGZyb20gJ0BudXR1aS9udXR1aSdcbmltcG9ydCB7IERvbmdkb25nIH0gZnJvbSAnQG51dHVpL2ljb25zLXZ1ZSdcbmNvbnN0IHNob3cgPSAoKSA9PiB7XG4gIHNob3dUb2FzdC50ZXh0KCdIZWxsbywgTnV0VUkhJylcbn07XG48L3NjcmlwdD5cbjx0ZW1wbGF0ZT5cbiAgPG51dC1lbXB0eSAgZGVzY3JpcHRpb249XCLmmoLml6DlhoXlrrlcIiA+PC9udXQtZW1wdHk+XG48L3RlbXBsYXRlPiJ9
重现步骤
运行
taro build --type weapp
后,打开文件dist/taro.js
,里面有多个外链期望的结果是什么?
清除组件
nut-empty
里的三个默认外链,清除taro.com
的外链实际的结果是什么?
外链都存在
环境信息
👽 Taro v3.6.27
Taro CLI 3.6.27 environment info:
System:
OS: Windows 11 10.0.22631
Binaries:
Node: 20.11.1 - C:\Program Files\nodejs\node.EXE
npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD
npmPackages:
@tarojs/cli: 3.6.8 => 3.6.8
@tarojs/components: 3.6.8 => 3.6.8
@tarojs/helper: 3.6.8 => 3.6.8
@tarojs/plugin-framework-vue3: 3.6.8 => 3.6.8
@tarojs/plugin-html: 3.6.8 => 3.6.8
@tarojs/plugin-platform-alipay: 3.6.8 => 3.6.8
@tarojs/plugin-platform-h5: 3.6.8 => 3.6.8
@tarojs/plugin-platform-jd: 3.6.8 => 3.6.8
@tarojs/plugin-platform-qq: 3.6.8 => 3.6.8
@tarojs/plugin-platform-swan: 3.6.8 => 3.6.8
@tarojs/plugin-platform-tt: 3.6.8 => 3.6.8
@tarojs/plugin-platform-weapp: 3.6.8 => 3.6.8
@tarojs/runtime: 3.6.8 => 3.6.8
@tarojs/shared: 3.6.8 => 3.6.8
@tarojs/taro: 3.6.8 => 3.6.8
@tarojs/taro-loader: 3.6.8 => 3.6.8
@tarojs/webpack5-runner: 3.6.8 => 3.6.8
babel-preset-taro: 3.6.8 => 3.6.8
eslint-config-taro: 3.6.8 => 3.6.8
其他补充信息
我用taro nutui开发一个小程序,上线后安全公司扫描小程序后得出了几个安全漏洞。
一个是通过https://taro.com和https://ftcms.jd.com的外部链接扫描出了ThinkPHP 5.x的多个漏洞,这在我的系统里是完全用不上的,只是taro build完后才出现的链接。
另一个则比较让人费解,检测小程序使用硬编码的加密密钥,请问nutui开发人员,是否有使用这种风险代码?
The text was updated successfully, but these errors were encountered: