🔒 Do not execute scripts in assets SVG by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/16844

Signed-off-by: Daniel <845765@qq.com>
2026-03-08 21:52:33 +01:00 · 2026-01-16 18:11:55 +08:00 · 2026-01-16 18:11:55 +08:00 · 11115da3d0
commit 11115da3d0
parent 65532aec99
23 changed files with 125 additions and 3 deletions
--- a/app/src/mobile/settings/editor.ts
+++ b/app/src/mobile/settings/editor.ts
@ -24,6 +24,7 @@ const setEditor = (modelMainElement: Element) => {
        inlineStrikethrough: (modelMainElement.querySelector("#editorMarkdownInlineStrikethrough") as HTMLInputElement).checked,
        inlineMark: (modelMainElement.querySelector("#editorMarkdownInlineMark") as HTMLInputElement).checked
    };
+    window.siyuan.config.editor.allowSVGScript = (modelMainElement.querySelector("#allowSVGScript") as HTMLInputElement).checked;
    window.siyuan.config.editor.allowHTMLBLockScript = (modelMainElement.querySelector("#allowHTMLBLockScript") as HTMLInputElement).checked;
    window.siyuan.config.editor.dynamicLoadBlocks = dynamicLoadBlocks;
    window.siyuan.config.editor.justify = (modelMainElement.querySelector("#justify") as HTMLInputElement).checked;
@ -279,6 +280,14 @@ export const initEditor = () => {
    <textarea class="b3-text-field fn__block" id="katexMacros">${window.siyuan.config.editor.katexMacros}</textarea>
    <div class="b3-label__text">${window.siyuan.languages.katexMacrosTip}</div>
 </div>
+<label class="fn__flex b3-label">
+    <div class="fn__flex-1">
+       ${window.siyuan.languages.allowSVGScript}
+        <div class="b3-label__text">${window.siyuan.languages.allowSVGScriptTip}</div>
+    </div>
+    <span class="fn__space"></span>
+    <input class="b3-switch fn__flex-center" id="allowSVGScript" type="checkbox"${window.siyuan.config.editor.allowSVGScript ? " checked" : ""}/>
+</label>
 <label class="fn__flex b3-label">
    <div class="fn__flex-1">
       ${window.siyuan.languages.allowHTMLBLockScript}