From b04f354f96a7e54fc54cd3953ceac4a834391a90 Mon Sep 17 00:00:00 2001
From: zuohuaijun <zuohuaijun@163.com>
Date: Sat, 11 Jan 2025 17:30:37 +0800
Subject: [PATCH] =?UTF-8?q?=F0=9F=98=8E1=E3=80=81=E4=BF=AE=E5=A4=8D?=
 =?UTF-8?q?=E5=93=8D=E5=BA=94=E5=A4=B4=E5=AE=89=E5=85=A8=E7=AD=96=E7=95=A5?=
 =?UTF-8?q?=20=202=E3=80=81=E4=BF=AE=E8=A6=85=E5=AF=8C=E6=96=87=E6=9C=AC?=
 =?UTF-8?q?=E6=A1=86=E5=9B=BE=E7=89=87=E6=98=BE=E7=A4=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Admin.NET/Admin.NET.Web.Core/Startup.cs | 2 +-
 Web/src/components/editor/index.vue     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Admin.NET/Admin.NET.Web.Core/Startup.cs b/Admin.NET/Admin.NET.Web.Core/Startup.cs
index d38346b2..e8d250f7 100644
--- a/Admin.NET/Admin.NET.Web.Core/Startup.cs
+++ b/Admin.NET/Admin.NET.Web.Core/Startup.cs
@@ -283,7 +283,7 @@ public class Startup : AppStartup
             // 限制 Flash 和其他插件的跨域访问，防止数据泄露
             context.Response.Headers.Append("X-Permitted-Cross-Domain-Policies", "none");
             // 限制可执行的脚本和样式，降低 XSS 攻击的风险
-            context.Response.Headers.Append("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;");
+            context.Response.Headers.Append("Content-Security-Policy", "style-src 'self' 'unsafe-inline';");
             // 允许浏览器使用地理位置 API，但仅限于当前站点
             context.Response.Headers.Append("Permissions-Policy", "geolocation=(self)");
             // 强制使用 HTTPS，防止中间人攻击
diff --git a/Web/src/components/editor/index.vue b/Web/src/components/editor/index.vue
index 92117bcc..997d3887 100644
--- a/Web/src/components/editor/index.vue
+++ b/Web/src/components/editor/index.vue
@@ -63,7 +63,7 @@ const state = reactive({
 						.apiSysFileUploadFilePostForm(file)
 						.then(({ data }) => {
 							if (data.type == 'success' && data.result) {
-								editorRef.value.insertNode({ type: 'image', src: data.result.url, alt: data.result.fileName, href: data.result.url, children: [{ text: '' }] });
+								editorRef.value.insertNode({ type: 'image', src: '/' + data.result.url, alt: data.result.fileName, href: '/' + data.result.url, children: [{ text: '' }] });
 							} else {
 								ElMessage.error('上传失败！');
 							}