Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2026-01-06 08:48:49 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🐛 Breadcrumb XSS https://github.com/siyuan-note/siyuan/issues/10753

Browse source
This commit is contained in:
Daniel 2024-03-28 16:57:24 +08:00
parent 62cc60c934
commit 42967694ef
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
2 changed files with 22 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
kernel/model/blockinfo.go
View file

@ -366,6 +366,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
name = util.EscapeHTML(box.Name) + util.EscapeHTML(hPath)
} else if ast.NodeAttributeView == parent.Type {
name = treenode.GetAttributeViewName(parent.AttributeViewID)
name = util.EscapeHTML(name)
} else {
if "" == name {
if ast.NodeListItem == parent.Type {
@ -373,6 +374,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
} else {
name = gulu.Str.SubStr(renderBlockText(parent, excludeTypes), maxNameLen)
}
name = util.EscapeHTML(name)
}
if ast.NodeHeading == parent.Type {
headingLevel = parent.HeadingLevel
@ -389,6 +391,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
if ast.NodeListItem == parent.Type {
if "" == name {
name = gulu.Str.SubStr(renderBlockText(fc, excludeTypes), maxNameLen)
name = util.EscapeHTML(name)
}
}