Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2026-03-08 05:32:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🔒 Do not execute scripts in assets SVG by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/16844

Browse source 
Signed-off-by: Daniel <845765@qq.com>
This commit is contained in:
Daniel 2026-01-16 18:11:55 +08:00
parent 65532aec99
commit 11115da3d0
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
23 changed files with 125 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

9
app/src/config/editor.ts
View file

@ -305,6 +305,14 @@ export const editor = {
<textarea class="b3-text-field fn__block" id="katexMacros" spellcheck="false">${window.siyuan.config.editor.katexMacros}</textarea>
</div>
</div>
<label class="fn__flex b3-label">
<div class="fn__flex-1">
${window.siyuan.languages.allowSVGScript}
<div class="b3-label__text">${window.siyuan.languages.allowSVGScriptTip}</div>
</div>
<span class="fn__space"></span>
<input class="b3-switch fn__flex-center" id="allowSVGScript" type="checkbox"${window.siyuan.config.editor.allowSVGScript ? " checked" : ""}/>
</label>
<label class="fn__flex b3-label">
<div class="fn__flex-1">
${window.siyuan.languages.allowHTMLBLockScript}
@ -470,6 +478,7 @@ export const editor = {
inlineStrikethrough: (editor.element.querySelector("#editorMarkdownInlineStrikethrough") as HTMLInputElement).checked,
inlineMark: (editor.element.querySelector("#editorMarkdownInlineMark") as HTMLInputElement).checked
},
allowSVGScript: (editor.element.querySelector("#allowSVGScript") as HTMLInputElement).checked,
allowHTMLBLockScript: (editor.element.querySelector("#allowHTMLBLockScript") as HTMLInputElement).checked,
justify: (editor.element.querySelector("#justify") as HTMLInputElement).checked,
rtl: (editor.element.querySelector("#rtl") as HTMLInputElement).checked,