🔒 Do not execute scripts in assets SVG by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/16844

Signed-off-by: Daniel <845765@qq.com>
2026-02-25 16:34:06 +01:00 · 2026-01-16 18:11:55 +08:00 · 2026-01-16 18:11:55 +08:00 · 11115da3d0
commit 11115da3d0
parent 65532aec99
23 changed files with 125 additions and 3 deletions
--- a/app/src/config/editor.ts
+++ b/app/src/config/editor.ts
@ -305,6 +305,14 @@ export const editor = {
        <textarea class="b3-text-field fn__block" id="katexMacros" spellcheck="false">${window.siyuan.config.editor.katexMacros}</textarea>
    </div>
 </div>
+<label class="fn__flex b3-label">
+    <div class="fn__flex-1">
+        ${window.siyuan.languages.allowSVGScript}
+        <div class="b3-label__text">${window.siyuan.languages.allowSVGScriptTip}</div>
+    </div>
+    <span class="fn__space"></span>
+    <input class="b3-switch fn__flex-center" id="allowSVGScript" type="checkbox"${window.siyuan.config.editor.allowSVGScript ? " checked" : ""}/>
+</label>
 <label class="fn__flex b3-label">
    <div class="fn__flex-1">
        ${window.siyuan.languages.allowHTMLBLockScript}
@ -470,6 +478,7 @@ export const editor = {
                    inlineStrikethrough: (editor.element.querySelector("#editorMarkdownInlineStrikethrough") as HTMLInputElement).checked,
                    inlineMark: (editor.element.querySelector("#editorMarkdownInlineMark") as HTMLInputElement).checked
                },
+                allowSVGScript: (editor.element.querySelector("#allowSVGScript") as HTMLInputElement).checked,
                allowHTMLBLockScript: (editor.element.querySelector("#allowHTMLBLockScript") as HTMLInputElement).checked,
                justify: (editor.element.querySelector("#justify") as HTMLInputElement).checked,
                rtl: (editor.element.querySelector("#rtl") as HTMLInputElement).checked,
--- a/app/src/config/search.ts
+++ b/app/src/config/search.ts
@ -28,7 +28,7 @@ export const initConfigSearch = (element: HTMLElement, app: App) => {
            "editorMarkdownInlineTag", "editorMarkdownInlineTagTip", "editorMarkdownInlineMath", "editorMarkdownInlineMathTip",
            "editorMarkdownInlineStrikethrough", "editorMarkdownInlineStrikethroughTip", "editorMarkdownInlineMark", "editorMarkdownInlineMarkTip",
            "allowHTMLBLockScript", "allowHTMLBLockScriptTip", "backlinkExpandTip", "backmentionExpandTip",
-            "backlinkContainChildren", "backlinkContainChildrenTip"
+            "backlinkContainChildren", "backlinkContainChildrenTip", "allowSVGScript", "allowSVGScriptTip"
        ]),

        // 文档树
--- a/app/src/mobile/settings/editor.ts
+++ b/app/src/mobile/settings/editor.ts
@ -24,6 +24,7 @@ const setEditor = (modelMainElement: Element) => {
        inlineStrikethrough: (modelMainElement.querySelector("#editorMarkdownInlineStrikethrough") as HTMLInputElement).checked,
        inlineMark: (modelMainElement.querySelector("#editorMarkdownInlineMark") as HTMLInputElement).checked
    };
+    window.siyuan.config.editor.allowSVGScript = (modelMainElement.querySelector("#allowSVGScript") as HTMLInputElement).checked;
    window.siyuan.config.editor.allowHTMLBLockScript = (modelMainElement.querySelector("#allowHTMLBLockScript") as HTMLInputElement).checked;
    window.siyuan.config.editor.dynamicLoadBlocks = dynamicLoadBlocks;
    window.siyuan.config.editor.justify = (modelMainElement.querySelector("#justify") as HTMLInputElement).checked;
@ -279,6 +280,14 @@ export const initEditor = () => {
    <textarea class="b3-text-field fn__block" id="katexMacros">${window.siyuan.config.editor.katexMacros}</textarea>
    <div class="b3-label__text">${window.siyuan.languages.katexMacrosTip}</div>
 </div>
+<label class="fn__flex b3-label">
+    <div class="fn__flex-1">
+       ${window.siyuan.languages.allowSVGScript}
+        <div class="b3-label__text">${window.siyuan.languages.allowSVGScriptTip}</div>
+    </div>
+    <span class="fn__space"></span>
+    <input class="b3-switch fn__flex-center" id="allowSVGScript" type="checkbox"${window.siyuan.config.editor.allowSVGScript ? " checked" : ""}/>
+</label>
 <label class="fn__flex b3-label">
    <div class="fn__flex-1">
       ${window.siyuan.languages.allowHTMLBLockScript}
--- a/app/src/protyle/export/index.ts
+++ b/app/src/protyle/export/index.ts
@ -509,6 +509,7 @@ ${getIconScript(servePath)}
          config: {
            appearance: { mode: 0, codeBlockThemeDark: "${window.siyuan.config.appearance.codeBlockThemeDark}", codeBlockThemeLight: "${window.siyuan.config.appearance.codeBlockThemeLight}" },
            editor: { 
+              allowSVGScriptTip: ${window.siyuan.config.editor.allowSVGScript},
              allowHTMLBLockScript: ${window.siyuan.config.editor.allowHTMLBLockScript},
              fontSize: ${window.siyuan.config.editor.fontSize},
              codeLineWrap: true,
--- a/app/src/types/config.d.ts
+++ b/app/src/types/config.d.ts
@ -350,6 +350,11 @@ declare namespace Config {
     */
    export interface IEditor {

+        /**
+         * Whether to allow to execute javascript in the SVG
+         */
+        allowSVGScript: boolean;
+
        /**
         * Whether to allow to execute javascript in the HTML block
         */