fix: R5修复 — 双重HTML转义/消息时间格式m-d H:i

1 day ago · 44a918ad78
--- a/app/controller/Message.php
+++ b/app/controller/Message.php
@ -6,7 +6,6 @@ use app\model\Message as MessageModel;
 class Message extends BaseController
 {
    // BUG-03: 聊天记录读取保持原有逻辑
    public function list()
    {
        $cardNo = $this->request->get('card_no', '');
@ -30,7 +29,7 @@ class Message extends BaseController
                'cardNo'     => $m['card_no'],
                'senderType' => $m['sender_type'],
                'content'    => $m['content'],
                'time'       => date('H:i', strtotime($m['created_at'])),
                'time'       => date('m-d H:i', strtotime($m['created_at'])),
                'staffId'    => $m['staff_id'] ?? null,
            ];
        }, $messages);
@ -38,7 +37,6 @@ class Message extends BaseController
        return json(['code' => 0, 'data' => $list, 'msg' => 'ok']);
    }
    // BUG-03: 增加输入校验 + XSS防护
    public function send()
    {
        $cardNo     = $this->request->post('cardNo', '');
@ -46,24 +44,19 @@ class Message extends BaseController
        $content    = $this->request->post('content', '');
        $staffId    = $this->request->post('staffId', null);
        // 必填校验
        if (empty($cardNo) || empty($content)) {
            return json(['code' => -1, 'data' => null, 'msg' => '参数不完整']);
        }
        // senderType 枚举校验
        if (!in_array($senderType, ['customer', 'staff', 'system'])) {
            return json(['code' => -1, 'data' => null, 'msg' => '发送者类型无效']);
        }
        // 内容长度校验 (DB VARCHAR 500)
        if (mb_strlen($content) > 500) {
            return json(['code' => -1, 'data' => null, 'msg' => '消息过长，最多500字']);
        }
        // XSS 防护 — HTML 转义
        $content = htmlspecialchars($content, ENT_QUOTES, 'UTF-8');
        // 存储原始文本，Vue 模板 {{ }} 自动转义防 XSS
        $msg = MessageModel::create([
            'card_no'     => $cardNo,
            'sender_type' => $senderType,
--- a/app/controller/Staff.php
+++ b/app/controller/Staff.php
@ -63,7 +63,7 @@ class Staff extends BaseController
                'status'      => $o['status'],
                'note'        => $o['note'] ?? '',
                'remindCount' => $o['remind_count'] ?? 0,
                'submittedAt' => date('H:i', strtotime($o['submitted_at'])),
                'submittedAt' => date('m-d H:i', strtotime($o['submitted_at'])),
                'items'       => array_map(function ($i) {
                    return [
                        'name'  => $i['product_name'],
@ -108,7 +108,7 @@ class Staff extends BaseController
                'status'      => $order->status,
                'note'        => $order->note ?? '',
                'remindCount' => $order->remind_count ?? 0,
                'submittedAt' => date('H:i', strtotime($order->submitted_at)),
                'submittedAt' => date('m-d H:i', strtotime($order->submitted_at)),
                'items'       => $items,
            ],
            'msg' => 'ok',
--- a/app/service/OrderService.php
+++ b/app/service/OrderService.php
@ -79,7 +79,7 @@ class OrderService
                'status'        => $o['status'],
                'note'          => $o['note'] ?? '',
                'remindCount'   => $o['remind_count'] ?? 0,
                'submittedAt'   => date('H:i', strtotime($o['submitted_at'])),
                'submittedAt'   => date('m-d H:i', strtotime($o['submitted_at'])),
                'items'         => array_map(function ($i) {
                    return [
                        'name'  => $i['product_name'],