From 257aa0ef4439a9209fcb930a946740350811da9a Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Mon, 9 Mar 2026 16:38:31 +0800
Subject: [PATCH] :lock: `getDynamicIcon` interface XSS vulnerability
 https://github.com/siyuan-note/siyuan/issues/17166
 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr

Signed-off-by: Daniel <845765@qq.com>
---
 kernel/util/misc.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kernel/util/misc.go b/kernel/util/misc.go
index baee4dc8f..3b6adeb5d 100644
--- a/kernel/util/misc.go
+++ b/kernel/util/misc.go
@@ -261,6 +261,12 @@ func SanitizeSVG(svgInput string) string {
 					for _, a := range c.Attr {
 						key := strings.ToLower(a.Key)
 						val := strings.TrimSpace(strings.ToLower(a.Val))
+						val = strings.Map(func(r rune) rune {
+							if r == '\t' || r == '\n' || r == '\r' {
+								return -1 // Remove character
+							}
+							return r
+						}, val)
 
 						// 删除事件处理器属性（onload, onerror 等）
 						if strings.HasPrefix(key, "on") {