From f95d3b99bd4a57ec1fc61ea48261e2ee9d62e21f Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Tue, 17 Jun 2025 11:18:38 +0800
Subject: [PATCH 1/2] :lock: XSS through emoji name
 https://github.com/siyuan-note/siyuan/issues/15034
 https://github.com/siyuan-note/siyuan/pull/15041

---
 kernel/model/box.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kernel/model/box.go b/kernel/model/box.go
index 4c2c3c272..9eb1102f4 100644
--- a/kernel/model/box.go
+++ b/kernel/model/box.go
@@ -127,10 +127,16 @@ func ListNotebooks() (ret []*Box, err error) {
 		}
 
 		id := dir.Name()
+		icon := boxConf.Icon
+		if strings.Contains(icon, ".") { // 说明是自定义图标
+			// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
+			icon = util.FilterUploadFileName(icon)
+		}
+
 		box := &Box{
 			ID:       id,
 			Name:     boxConf.Name,
-			Icon:     boxConf.Icon,
+			Icon:     icon,
 			Sort:     boxConf.Sort,
 			SortMode: boxConf.SortMode,
 			Closed:   boxConf.Closed,

From a0b7998401c0de5a2d92a6bcf4e52dbff8ade6d8 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Tue, 17 Jun 2025 11:25:28 +0800
Subject: [PATCH 2/2] :art: Database gallery view
 https://github.com/siyuan-note/siyuan/issues/10414

---
 kernel/model/attribute_view.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/kernel/model/attribute_view.go b/kernel/model/attribute_view.go
index d92571d6f..80726dbfd 100644
--- a/kernel/model/attribute_view.go
+++ b/kernel/model/attribute_view.go
@@ -119,6 +119,20 @@ func ChangeAttrViewLayout(blockID, avID string, layout av.LayoutType) (err error
 
 	view.LayoutType = newLayout
 	err = av.SaveAttributeView(attrView)
+
+	node, tree, err := getNodeByBlockID(nil, blockID)
+	if err != nil {
+		return
+	}
+
+	node.AttributeViewType = string(view.LayoutType)
+	attrs := parse.IAL2Map(node.KramdownIAL)
+	attrs[av.NodeAttrView] = view.ID
+	err = setNodeAttrs(node, tree, attrs)
+	if err != nil {
+		logging.LogWarnf("set node [%s] attrs failed: %s", blockID, err)
+		return
+	}
 	return
 }
 
@@ -469,7 +483,6 @@ func SetDatabaseBlockView(blockID, avID, viewID string) (err error) {
 	}
 
 	node.AttributeViewType = string(view.LayoutType)
-
 	attrs := parse.IAL2Map(node.KramdownIAL)
 	attrs[av.NodeAttrView] = viewID
 	err = setNodeAttrs(node, tree, attrs)