fix(community): admin 审核页外链过 sanitizeExternalUrl (CR)

github-actions[bot] · github-actions[bot] · commit 04e9734a3d1e · 2026-04-19T16:17:08.000Z
Copilot CR 反馈：
- app/admin/community/page.tsx 直接把 link.url 渲染到 &lt;a href&gt;，虽然后端
  UrlNormalizer 已拒非 http/https，但 defense-in-depth 要求前端也兜底，
  防止后端某天放松校验导致 javascript:/data: XSS

改动：
- 外链过 sanitizeExternalUrl，非法链接降级为不可点击的灰色文字 + ⚠ 标记
diff --git a/app/admin/community/page.tsx b/app/admin/community/page.tsx
@@ -15,6 +15,7 @@ import { useEffect, useState } from "react";
 import Image from "next/image";
 import { AdminGuard } from "@/app/admin/events/AdminGuard";
 import type { SharedLinkView } from "@/app/feed/types";
+import { sanitizeExternalUrl } from "@/lib/url-safety";
 import { approveLink, listPendingLinks, rejectLink } from "./lib";
 
 export default function AdminCommunityPage() {
@@ -164,15 +165,30 @@ function AdminCommunityInner() {
                       {link.host}
                     </span>
                   </div>
-                  <a
-                    href={link.url}
-                    target="_blank"
-                    rel="noopener noreferrer"
-                    className="block mt-2 font-semibold text-base hover:underline truncate"
-                    title={link.ogTitle ?? link.url}
-                  >
-                    {link.ogTitle ?? link.url}
-                  </a>
+                  {(() => {
+                    // defense-in-depth：后端 UrlNormalizer 已拒非 http/https，
+                    // 前端仍用 sanitizeExternalUrl 兜底过滤 javascript:/data: 协议。
+                    const safe = sanitizeExternalUrl(link.url);
+                    const title = link.ogTitle ?? link.url;
+                    return safe ? (
+                      <a
+                        href={safe}
+                        target="_blank"
+                        rel="noopener noreferrer"
+                        className="block mt-2 font-semibold text-base hover:underline truncate"
+                        title={title}
+                      >
+                        {title}
+                      </a>
+                    ) : (
+                      <span
+                        className="block mt-2 font-semibold text-base text-neutral-400 truncate"
+                        title="链接协议不安全，已禁用点击"
+                      >
+                        {title} ⚠
+                      </span>
+                    );
+                  })()}
                   {link.ogDescription && (
                     <p className="mt-1 text-sm text-neutral-600 dark:text-neutral-300 line-clamp-2">
                       {link.ogDescription}
