From 0e31264812d8ada736dd4b4cee80aca30e2d097d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=B4=A4=E5=BF=83?=
 <3277200+sentsim@users.noreply.github.com>
Date: Mon, 29 Apr 2024 20:08:00 +0800
Subject: [PATCH] =?UTF-8?q?fix(tree):=20=E4=BF=AE=E5=A4=8D=E7=BC=96?=
 =?UTF-8?q?=E8=BE=91=E8=8A=82=E7=82=B9=E6=A0=87=E9=A2=98=E6=97=B6=E7=9A=84?=
 =?UTF-8?q?=20xss=20=E9=97=AE=E9=A2=98=20(#1845)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/modules/tree.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/modules/tree.js b/src/modules/tree.js
index 7e391bbe..1397d97d 100644
--- a/src/modules/tree.js
+++ b/src/modules/tree.js
@@ -551,7 +551,7 @@ layui.define(['form','util'], function(exports){
         elemMain.children('.layui-tree-editInput').val(util.unescape(text)).focus();
         // 嵌入文字移除输入框
         var getVal = function(input){
-          var textNew = input.val().trim();
+          var textNew = util.escape(input.val().trim());
           textNew = textNew ? textNew : options.text.defaultNodeName;
           input.remove();
           elemMain.children('.'+ ELEM_TEXT).html(textNew);
@@ -862,4 +862,4 @@ layui.define(['form','util'], function(exports){
   };
 
   exports(MOD_NAME, tree);
-})
\ No newline at end of file
+})