🔒 XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034

kernel/api/block.go

@@ -627,10 +627,6 @@ func getBlockInfo(c *gin.Context) {
 	rootTitle := root.IAL["title"]
 	rootTitle = html.UnescapeString(rootTitle)
 	icon := root.IAL["icon"]
-	if strings.Contains(icon, ".") {
-		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
-		icon = util.FilterUploadEmojiFileName(icon)
-	}
 	ret.Data = map[string]string{
 		"box":         block.Box,
 		"path":        block.Path,

kernel/filesys/json_parser.go

@@ -25,6 +25,7 @@ import (
 	"github.com/88250/lute/editor"
 	"github.com/88250/lute/parse"
 	"github.com/siyuan-note/siyuan/kernel/treenode"
+	"github.com/siyuan-note/siyuan/kernel/util"
 )
 
 func ParseJSONWithoutFix(jsonData []byte, options *parse.Options) (ret *parse.Tree, err error) {
@@ -57,6 +58,14 @@ func ParseJSON(jsonData []byte, options *parse.Options) (ret *parse.Tree, needFi
 	}
 
 	ret = &parse.Tree{Name: "", ID: root.ID, Root: &ast.Node{Type: ast.NodeDocument, ID: root.ID, Spec: root.Spec}, Context: &parse.Context{ParseOption: options}}
+	if icon := root.Properties["icon"]; "" != icon {
+		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
+		if newIcon := util.FilterUploadEmojiFileName(icon); newIcon != icon {
+			root.Properties["icon"] = newIcon
+			needFix = true
+		}
+	}
+
 	ret.Root.KramdownIAL = parse.Map2IAL(root.Properties)
 	ret.Root.SetIALAttr("type", "doc")
 	for _, kv := range ret.Root.KramdownIAL {

kernel/model/blockial.go

@@ -250,21 +250,6 @@ func setNodeAttrs0(node *ast.Node, nameValues map[string]string) (oldAttrs map[s
 
 func pushBroadcastAttrTransactions(oldAttrs map[string]string, node *ast.Node) {
 	newAttrs := parse.IAL2Map(node.KramdownIAL)
-
-	// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
-	for name, value := range oldAttrs {
-		if "icon" == name {
-			value = util.FilterUploadEmojiFileName(value)
-			oldAttrs[name] = value
-		}
-	}
-	for name, value := range newAttrs {
-		if "icon" == name {
-			value = util.FilterUploadEmojiFileName(value)
-			newAttrs[name] = value
-		}
-	}
-
 	data := map[string]interface{}{"old": oldAttrs, "new": newAttrs}
 	if "" != node.AttributeViewType {
 		data["data-av-type"] = node.AttributeViewType

kernel/model/blockinfo.go

@@ -65,13 +65,6 @@ func GetDocInfo(blockID string) (ret *BlockInfo) {
 	title := tree.Root.IALAttr("title")
 	ret = &BlockInfo{ID: blockID, RootID: tree.Root.ID, Name: title}
 	ret.IAL = parse.IAL2Map(tree.Root.KramdownIAL)
-	icon := ret.IAL["icon"]
-	if strings.Contains(icon, ".") {
-		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
-		icon = util.FilterUploadEmojiFileName(icon)
-		ret.IAL["icon"] = icon
-	}
-
 	scrollData := ret.IAL["scroll"]
 	if 0 < len(scrollData) {
 		scroll := map[string]interface{}{}
@@ -138,12 +131,7 @@ func GetDocInfo(blockID string) (ret *BlockInfo) {
 		}
 	}
 	ret.SubFileCount = subFileCount
-	icon = tree.Root.IALAttr("icon")
+	ret.Icon = tree.Root.IALAttr("icon")
-	if strings.Contains(icon, ".") {
-		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
-		icon = util.FilterUploadEmojiFileName(icon)
-	}
-	ret.Icon = icon
 	return
 }
 

kernel/model/file.go

@@ -80,12 +80,7 @@ func (box *Box) docFromFileInfo(fileInfo *FileInfo, ial map[string]string) (ret
 	ret.Path = fileInfo.path
 	ret.Size = uint64(fileInfo.size)
 	ret.Name = ial["title"] + ".sy"
-	icon := ial["icon"]
+	ret.Icon = ial["icon"]
-	if strings.Contains(icon, ".") {
-		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
-		icon = util.FilterUploadEmojiFileName(icon)
-	}
-	ret.Icon = icon
 	ret.ID = ial["id"]
 	ret.Name1 = ial["name"]
 	ret.Alias = ial["alias"]