diff --git a/app/src/protyle/util/onGet.ts b/app/src/protyle/util/onGet.ts
index 22a919d4e..0f94e040f 100644
--- a/app/src/protyle/util/onGet.ts
+++ b/app/src/protyle/util/onGet.ts
@@ -133,6 +133,20 @@ const setHTML = (options: {
     if (protyle.contentElement.classList.contains("fn__none") && protyle.wysiwyg.element.innerHTML !== "") {
         return;
     }
+
+    if (DOMPurify) {
+        // XSS in inline-memo https://github.com/siyuan-note/siyuan/issues/15280
+        const parser = new DOMParser();
+        const doc = parser.parseFromString(options.content, "text/html");
+        doc.querySelectorAll("[data-inline-memo-content]").forEach(item => {
+            const content = item.getAttribute("data-inline-memo-content");
+            if (content) {
+                item.setAttribute("data-inline-memo-content", DOMPurify.sanitize(content));
+            }
+        });
+        options.content = doc.body.innerHTML;
+    }
+
     protyle.block.showAll = options.action.includes(Constants.CB_GET_ALL);
     const REMOVED_OVER_HEIGHT = protyle.contentElement.clientHeight * 8;
     const updateReadonly = typeof options.updateReadonly === "undefined" ? protyle.wysiwyg.element.innerHTML === "" : options.updateReadonly;