Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-17 15:10:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🐛 Search dialog XSS Fix https://github.com/siyuan-note/siyuan/issues/8525

Browse source
This commit is contained in:
Daniel 2023-06-13 09:34:36 +08:00
parent 88fa157bf2
commit 4153d22acb
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
2 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

5
kernel/model/blockinfo.go
View file

@ -27,6 +27,7 @@ import (
"github.com/88250/gulu" "github.com/88250/gulu"
"github.com/88250/lute/ast" "github.com/88250/lute/ast"
"github.com/88250/lute/editor" "github.com/88250/lute/editor"
"github.com/88250/lute/html"
"github.com/88250/lute/parse" "github.com/88250/lute/parse"
"github.com/siyuan-note/logging" "github.com/siyuan-note/logging"
"github.com/siyuan-note/siyuan/kernel/sql" "github.com/siyuan-note/siyuan/kernel/sql"
@ -309,7 +310,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
if add { if add {
ret = append([]*BlockPath{{ ret = append([]*BlockPath{{
ID: id, ID: id,
Name: name, Name: html.EscapeString(name),
Type: parent.Type.String(), Type: parent.Type.String(),
SubType: treenode.SubTypeAbbr(parent), SubType: treenode.SubTypeAbbr(parent),
}}, ret...) }}, ret...)
@ -330,7 +331,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
name = gulu.Str.SubStr(renderBlockText(b, excludeTypes), maxNameLen) name = gulu.Str.SubStr(renderBlockText(b, excludeTypes), maxNameLen)
ret = append([]*BlockPath{{ ret = append([]*BlockPath{{
ID: b.ID, ID: b.ID,
Name: name, Name: html.EscapeString(name),
Type: b.Type.String(), Type: b.Type.String(),
SubType: treenode.SubTypeAbbr(b), SubType: treenode.SubTypeAbbr(b),
}}, ret...) }}, ret...)

7
kernel/model/search.go
View file

@ -33,6 +33,7 @@ import (
"github.com/88250/gulu" "github.com/88250/gulu"
"github.com/88250/lute" "github.com/88250/lute"
"github.com/88250/lute/ast" "github.com/88250/lute/ast"
"github.com/88250/lute/html"
"github.com/88250/lute/lex" "github.com/88250/lute/lex"
"github.com/88250/lute/parse" "github.com/88250/lute/parse"
"github.com/88250/vitess-sqlparser/sqlparser" "github.com/88250/vitess-sqlparser/sqlparser"
@ -886,16 +887,14 @@ func fromSQLBlock(sqlBlock *sql.Block, terms string, beforeLen int) (block *Bloc
} }
id := sqlBlock.ID id := sqlBlock.ID
content := sqlBlock.Content content := html.EscapeString(sqlBlock.Content) // Search dialog XSS https://github.com/siyuan-note/siyuan/issues/8525
p := sqlBlock.Path
content, _ = markSearch(content, terms, beforeLen) content, _ = markSearch(content, terms, beforeLen)
content = maxContent(content, 5120) content = maxContent(content, 5120)
markdown := maxContent(sqlBlock.Markdown, 5120) markdown := maxContent(sqlBlock.Markdown, 5120)
block = &Block{ block = &Block{
Box: sqlBlock.Box, Box: sqlBlock.Box,
Path: p, Path: sqlBlock.Path,
ID: id, ID: id,
RootID: sqlBlock.RootID, RootID: sqlBlock.RootID,
ParentID: sqlBlock.ParentID, ParentID: sqlBlock.ParentID,