fix: 修复表达式编辑器 XSS 注入漏洞，使用 escapeHtml 转义用户输入

Author: duanlinzhen

packages/amis-editor/src/renderer/textarea-formula/plugin.tsx

@@ -4,6 +4,7 @@
 
 import {TextareaFormulaControlProps} from './TextareaFormulaControl';
 import {FormulaEditor} from 'amis-ui';
+import {escapeHtml} from 'amis-core';
 import type {VariableItem, CodeMirror} from 'amis-ui';
 
 export function editorFactory(
@@ -232,7 +233,7 @@ export class FormulaPlugin {
       true,
       false
     ) || {
-      html: expression
+      html: escapeHtml(expression)
     };
 
     const wrap = document.createElement('span');

packages/amis-ui/src/components/formula/Editor.tsx

@@ -5,7 +5,8 @@ import React from 'react';
 import {
   eachTree,
   resolveVariableAndFilterForAsync,
-  uncontrollable
+  uncontrollable,
+  escapeHtml
 } from 'amis-core';
 import {
   parse,
@@ -208,7 +209,8 @@ export class FormulaEditor extends React.Component<
       .filter(item => item)
       .sort((a, b) => b.length - a.length);
 
-    const content = value || '';
+    // XSS 防护：对用户输入进行转义
+    const content = escapeHtml(value || '');
     let html = '';
 
     // 标记方法调用