Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-17 23:20:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🐛 Breadcrumb XSS https://github.com/siyuan-note/siyuan/issues/10753

Browse source
This commit is contained in:
Daniel 2024-03-28 16:57:24 +08:00
parent 62cc60c934
commit 42967694ef
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
2 changed files with 22 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
kernel/model/blockinfo.go
View file

@ -366,6 +366,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
name = util.EscapeHTML(box.Name) + util.EscapeHTML(hPath) name = util.EscapeHTML(box.Name) + util.EscapeHTML(hPath)
} else if ast.NodeAttributeView == parent.Type { } else if ast.NodeAttributeView == parent.Type {
name = treenode.GetAttributeViewName(parent.AttributeViewID) name = treenode.GetAttributeViewName(parent.AttributeViewID)
name = util.EscapeHTML(name)
} else { } else {
if "" == name { if "" == name {
if ast.NodeListItem == parent.Type { if ast.NodeListItem == parent.Type {
@ -373,6 +374,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
} else { } else {
name = gulu.Str.SubStr(renderBlockText(parent, excludeTypes), maxNameLen) name = gulu.Str.SubStr(renderBlockText(parent, excludeTypes), maxNameLen)
} }
name = util.EscapeHTML(name)
} }
if ast.NodeHeading == parent.Type { if ast.NodeHeading == parent.Type {
headingLevel = parent.HeadingLevel headingLevel = parent.HeadingLevel
@ -389,6 +391,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
if ast.NodeListItem == parent.Type { if ast.NodeListItem == parent.Type {
if "" == name { if "" == name {
name = gulu.Str.SubStr(renderBlockText(fc, excludeTypes), maxNameLen) name = gulu.Str.SubStr(renderBlockText(fc, excludeTypes), maxNameLen)
name = util.EscapeHTML(name)
} }
} }

23
kernel/util/misc.go
View file

@ -42,11 +42,26 @@ func RemoveElem[T any](s []T, index int) []T {
return append(s[:index], s[index+1:]...) return append(s[:index], s[index+1:]...)
} }
func EscapeHTML(s string) string { func EscapeHTML(s string) (ret string) {
if ContainsSubStr(s, []string{"&", "'", "<", ">", """, "
"}) { ret = s
return s if "" == strings.TrimSpace(ret) {
return
} }
return html.EscapeString(s)
ret = strings.ReplaceAll(ret, "&", "__@amp__")
ret = strings.ReplaceAll(ret, "'", "__@39__")
ret = strings.ReplaceAll(ret, "<", "__@lt__")
ret = strings.ReplaceAll(ret, ">", "__@gt__")
ret = strings.ReplaceAll(ret, """, "__@34__")
ret = strings.ReplaceAll(ret, "
", "__@13__")
ret = html.EscapeString(ret)
ret = strings.ReplaceAll(ret, "__@amp__", "&")
ret = strings.ReplaceAll(ret, "__@39__", "'")
ret = strings.ReplaceAll(ret, "__@lt__", "<")
ret = strings.ReplaceAll(ret, "__@gt__", ">")
ret = strings.ReplaceAll(ret, "__@34__", """)
ret = strings.ReplaceAll(ret, "__@13__", "
")
return
} }
func Reverse(s string) string { func Reverse(s string) string {