Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2026-01-19 06:46:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🔒 Do not execute scripts in assets SVG by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/16844

Browse source 
Signed-off-by: Daniel <845765@qq.com>
This commit is contained in:
Daniel 2026-01-16 18:11:55 +08:00
parent 65532aec99
commit 11115da3d0
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
23 changed files with 125 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

21
kernel/server/serve.go
View file

@ -545,8 +545,7 @@ func serveAssets(ginServer *gin.Engine) {
}
}
if serveThumbnail(context, p, requestPath) {
// 如果请求缩略图服务成功则返回
if serveThumbnail(context, p, requestPath) || serveSVG(context, p) {
return
}
@ -562,6 +561,24 @@ func serveAssets(ginServer *gin.Engine) {
})
}
func serveSVG(context *gin.Context, assetAbsPath string) bool {
if strings.HasSuffix(assetAbsPath, ".svg") {
data, err := os.ReadFile(assetAbsPath)
if err != nil {
logging.LogErrorf("read svg file failed: %s", err)
return false
}
if !model.Conf.Editor.AllowSVGScript {
data = []byte(util.RemoveScriptsInSVG(string(data)))
}
context.Data(200, "image/svg+xml", data)
return true
}
return false
}
func serveThumbnail(context *gin.Context, assetAbsPath, requestPath string) bool {
if style := context.Query("style"); style == "thumb" && model.NeedGenerateAssetsThumbnail(assetAbsPath) { // 请求缩略图
thumbnailPath := filepath.Join(util.TempDir, "thumbnails", "assets", requestPath)