From 0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Sun, 18 Jan 2026 17:54:07 +0800
Subject: [PATCH] :lock: Fix
 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv

Signed-off-by: Daniel <845765@qq.com>
---
 app/src/emoji/index.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/src/emoji/index.ts b/app/src/emoji/index.ts
index 044df7a1f..cb1ebeffb 100644
--- a/app/src/emoji/index.ts
+++ b/app/src/emoji/index.ts
@@ -27,8 +27,10 @@ export const unicode2Emoji = (unicode: string, className = "", needSpan = false,
     let emoji = "";
     if (unicode.startsWith("api/icon/getDynamicIcon")) {
         emoji = `<img class="${className}" ${lazy ? "data-" : ""}src="${unicode}"/>`;
+        emoji = Lute.Sanitize(emoji);
     } else if (unicode.indexOf(".") > -1) {
         emoji = `<img class="${className}" ${lazy ? "data-" : ""}src="/emojis/${unicode}"/>`;
+        emoji = Lute.Sanitize(emoji);
     } else {
         try {
             unicode.split("-").forEach(item => {