From 4153d22acb6da6fbb9262bc03c7801af83835865 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Tue, 13 Jun 2023 09:34:36 +0800
Subject: [PATCH] :bug: Search dialog XSS Fix
 https://github.com/siyuan-note/siyuan/issues/8525

---
 kernel/model/blockinfo.go | 5 +++--
 kernel/model/search.go    | 7 +++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/kernel/model/blockinfo.go b/kernel/model/blockinfo.go
index dd34c9f8d..3aa4f8e0e 100644
--- a/kernel/model/blockinfo.go
+++ b/kernel/model/blockinfo.go
@@ -27,6 +27,7 @@ import (
 	"github.com/88250/gulu"
 	"github.com/88250/lute/ast"
 	"github.com/88250/lute/editor"
+	"github.com/88250/lute/html"
 	"github.com/88250/lute/parse"
 	"github.com/siyuan-note/logging"
 	"github.com/siyuan-note/siyuan/kernel/sql"
@@ -309,7 +310,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
 		if add {
 			ret = append([]*BlockPath{{
 				ID:      id,
-				Name:    name,
+				Name:    html.EscapeString(name),
 				Type:    parent.Type.String(),
 				SubType: treenode.SubTypeAbbr(parent),
 			}}, ret...)
@@ -330,7 +331,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
 				name = gulu.Str.SubStr(renderBlockText(b, excludeTypes), maxNameLen)
 				ret = append([]*BlockPath{{
 					ID:      b.ID,
-					Name:    name,
+					Name:    html.EscapeString(name),
 					Type:    b.Type.String(),
 					SubType: treenode.SubTypeAbbr(b),
 				}}, ret...)
diff --git a/kernel/model/search.go b/kernel/model/search.go
index a6c91654b..6f627a70e 100644
--- a/kernel/model/search.go
+++ b/kernel/model/search.go
@@ -33,6 +33,7 @@ import (
 	"github.com/88250/gulu"
 	"github.com/88250/lute"
 	"github.com/88250/lute/ast"
+	"github.com/88250/lute/html"
 	"github.com/88250/lute/lex"
 	"github.com/88250/lute/parse"
 	"github.com/88250/vitess-sqlparser/sqlparser"
@@ -886,16 +887,14 @@ func fromSQLBlock(sqlBlock *sql.Block, terms string, beforeLen int) (block *Bloc
 	}
 
 	id := sqlBlock.ID
-	content := sqlBlock.Content
-	p := sqlBlock.Path
-
+	content := html.EscapeString(sqlBlock.Content) // Search dialog XSS https://github.com/siyuan-note/siyuan/issues/8525
 	content, _ = markSearch(content, terms, beforeLen)
 	content = maxContent(content, 5120)
 	markdown := maxContent(sqlBlock.Markdown, 5120)
 
 	block = &Block{
 		Box:      sqlBlock.Box,
-		Path:     p,
+		Path:     sqlBlock.Path,
 		ID:       id,
 		RootID:   sqlBlock.RootID,
 		ParentID: sqlBlock.ParentID,