Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-24 02:20:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🔒 XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034

Browse source
This commit is contained in:
Daniel 2025-06-25 13:15:55 +08:00
parent 9718d3b1c8
commit 0a17b83372
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
5 changed files with 11 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

9
kernel/filesys/json_parser.go
View file

@ -25,6 +25,7 @@ import (
"github.com/88250/lute/editor"
"github.com/88250/lute/parse"
"github.com/siyuan-note/siyuan/kernel/treenode"
"github.com/siyuan-note/siyuan/kernel/util"
)
func ParseJSONWithoutFix(jsonData []byte, options *parse.Options) (ret *parse.Tree, err error) {
@ -57,6 +58,14 @@ func ParseJSON(jsonData []byte, options *parse.Options) (ret *parse.Tree, needFi
}
ret = &parse.Tree{Name: "", ID: root.ID, Root: &ast.Node{Type: ast.NodeDocument, ID: root.ID, Spec: root.Spec}, Context: &parse.Context{ParseOption: options}}
if icon := root.Properties["icon"]; "" != icon {
// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
if newIcon := util.FilterUploadEmojiFileName(icon); newIcon != icon {
root.Properties["icon"] = newIcon
needFix = true
}
}
ret.Root.KramdownIAL = parse.Map2IAL(root.Properties)
ret.Root.SetIALAttr("type", "doc")
for _, kv := range ret.Root.KramdownIAL {