fix: mask Telegram bot token

eoao · eoao · commit 679cb4c03519 · 2026-05-23T06:53:52.000+08:00
diff --git a/mail-vue/src/views/sys-setting/index.vue b/mail-vue/src/views/sys-setting/index.vue
@@ -531,7 +531,7 @@
           </div>
         </template>
         <div class="forward-set-body">
-          <el-input :placeholder="$t('tgBotToken')" v-model="tgBotToken"></el-input>
+          <el-input :placeholder="setting.tgBotToken || $t('tgBotToken')" v-model="tgBotToken"></el-input>
           <el-input-tag tag-type="warning" :placeholder="$t('toBotTokenDesc')" v-model="tgChatId"
                         @add-tag="addChatTag"></el-input-tag>
           <el-input tag-type="warning" :placeholder="$t('customDomainDesc')" v-model="customDomain" ></el-input>
@@ -1064,7 +1064,7 @@ function closedSetBackground() {
 
 function openTgSetting() {
   tgBotStatus.value = setting.value.tgBotStatus
-  tgBotToken.value = setting.value.tgBotToken
+  tgBotToken.value = ''
   customDomain.value = setting.value.customDomain
   tgMsgFrom.value = setting.value.tgMsgFrom
   tgMsgText.value = setting.value.tgMsgText
@@ -1205,14 +1205,14 @@ function saveS3() {
 
 function tgBotSave() {
   const form = {
-    tgBotToken: tgBotToken.value,
     customDomain: customDomain.value,
     tgBotStatus: tgBotStatus.value,
     tgChatId: tgChatId.value + '',
     tgMsgFrom: tgMsgFrom.value,
     tgMsgText: tgMsgText.value,
     tgMsgTo: tgMsgTo.value
   }
+  if (tgBotToken.value) form.tgBotToken = tgBotToken.value
   editSetting(form)
 }
 
@@ -1468,6 +1468,7 @@ function change(e) {
   delete settingForm.secretKey
   delete settingForm.s3AccessKey
   delete settingForm.s3SecretKey
+  delete settingForm.tgBotToken
   delete settingForm.resendTokens
   editSetting(settingForm, false)
 }
diff --git a/mail-worker/src/service/setting-service.js b/mail-worker/src/service/setting-service.js
@@ -100,6 +100,7 @@ const settingService = {
 
 		settingRow.s3AccessKey = settingRow.s3AccessKey ? `${settingRow.s3AccessKey.slice(0, 12)}******` : null;
 		settingRow.s3SecretKey = settingRow.s3SecretKey ? `${settingRow.s3SecretKey.slice(0, 12)}******` : null;
+		settingRow.tgBotToken = settingRow.tgBotToken ? `${settingRow.tgBotToken.slice(0, 20)}******` : null;
 		settingRow.hasR2 = !!c.env.r2
 		settingRow.hasCfEmail = !!c.env.email
 
diff --git a/mail-worker/src/service/telegram-service.js b/mail-worker/src/service/telegram-service.js
@@ -55,7 +55,7 @@ const telegramService = {
 		const inlineKeyboard = [
 			[
 				{
-					text: '查看',
+					text: 'View',
 					web_app: { url: webAppUrl }
 				}
 			]
diff --git a/mail-worker/src/template/email-html.js b/mail-worker/src/template/email-html.js
@@ -7,6 +7,7 @@ export default function emailHtmlTemplate(html, domain) {
 	document.querySelectorAll('script').forEach(script => script.remove());
 	html = document.toString();
 	html = html.replace(/{{domain}}/g, domainUtils.toOssDomain(domain) + '/');
+	const safeHtmlJson = JSON.stringify(html).replace(/</g, '\\u003C');
 
 	return `<!DOCTYPE html>
 <html lang='en' >
@@ -127,7 +128,7 @@ export default function emailHtmlTemplate(html, domain) {
         }
 
         // 使用示例
-        const exampleHtml = \`${html}\`;
+        const exampleHtml = ${safeHtmlJson};
 
         // 渲染HTML
         renderHTML(exampleHtml);

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ const telegramService = {`
`55`	`55`	`const inlineKeyboard = [`
`56`	`56`	`[`
`57`	`57`	`{`
`58`		`- text: '查看',`
	`58`	`+ text: 'View',`
`59`	`59`	`web_app: { url: webAppUrl }`
`60`	`60`	`}`
`61`	`61`	`]`