fix: R5修复 — 双重HTML转义/消息时间格式m-d H:i

app/controller/Message.php

@@ -6,7 +6,6 @@ use app\model\Message as MessageModel;
 
 class Message extends BaseController
 {
-    // BUG-03: 聊天记录读取保持原有逻辑
     public function list()
     {
         $cardNo = $this->request->get('card_no', '');
@@ -30,7 +29,7 @@ class Message extends BaseController
                 'cardNo'     => $m['card_no'],
                 'senderType' => $m['sender_type'],
                 'content'    => $m['content'],
-                'time'       => date('H:i', strtotime($m['created_at'])),
+                'time'       => date('m-d H:i', strtotime($m['created_at'])),
                 'staffId'    => $m['staff_id'] ?? null,
             ];
         }, $messages);
@@ -38,7 +37,6 @@ class Message extends BaseController
         return json(['code' => 0, 'data' => $list, 'msg' => 'ok']);
     }
 
-    // BUG-03: 增加输入校验 + XSS防护
     public function send()
     {
         $cardNo     = $this->request->post('cardNo', '');
@@ -46,24 +44,19 @@ class Message extends BaseController
         $content    = $this->request->post('content', '');
         $staffId    = $this->request->post('staffId', null);
 
-        // 必填校验
         if (empty($cardNo) || empty($content)) {
             return json(['code' => -1, 'data' => null, 'msg' => '参数不完整']);
         }
 
-        // senderType 枚举校验
         if (!in_array($senderType, ['customer', 'staff', 'system'])) {
             return json(['code' => -1, 'data' => null, 'msg' => '发送者类型无效']);
         }
 
-        // 内容长度校验 (DB VARCHAR 500)
         if (mb_strlen($content) > 500) {
             return json(['code' => -1, 'data' => null, 'msg' => '消息过长，最多500字']);
         }
 
-        // XSS 防护 — HTML 转义
-        $content = htmlspecialchars($content, ENT_QUOTES, 'UTF-8');
-
+        // 存储原始文本，Vue 模板 {{ }} 自动转义防 XSS
         $msg = MessageModel::create([
             'card_no'     => $cardNo,
             'sender_type' => $senderType,

app/controller/Staff.php

@@ -63,7 +63,7 @@ class Staff extends BaseController
                 'status'      => $o['status'],
                 'note'        => $o['note'] ?? '',
                 'remindCount' => $o['remind_count'] ?? 0,
-                'submittedAt' => date('H:i', strtotime($o['submitted_at'])),
+                'submittedAt' => date('m-d H:i', strtotime($o['submitted_at'])),
                 'items'       => array_map(function ($i) {
                     return [
                         'name'  => $i['product_name'],
@@ -108,7 +108,7 @@ class Staff extends BaseController
                 'status'      => $order->status,
                 'note'        => $order->note ?? '',
                 'remindCount' => $order->remind_count ?? 0,
-                'submittedAt' => date('H:i', strtotime($order->submitted_at)),
+                'submittedAt' => date('m-d H:i', strtotime($order->submitted_at)),
                 'items'       => $items,
             ],
             'msg' => 'ok',

app/service/OrderService.php

@@ -79,7 +79,7 @@ class OrderService
                 'status'        => $o['status'],
                 'note'          => $o['note'] ?? '',
                 'remindCount'   => $o['remind_count'] ?? 0,
-                'submittedAt'   => date('H:i', strtotime($o['submitted_at'])),
+                'submittedAt'   => date('m-d H:i', strtotime($o['submitted_at'])),
                 'items'         => array_map(function ($i) {
                     return [
                         'name'  => $i['product_name'],