diff --git a/kernel/api/setting.go b/kernel/api/setting.go
index e5765d64a..14a015a19 100644
--- a/kernel/api/setting.go
+++ b/kernel/api/setting.go
@@ -654,7 +654,12 @@ func setEmoji(c *gin.Context) {
 	argEmoji := arg["emoji"].([]interface{})
 	var emoji []string
 	for _, ae := range argEmoji {
-		emoji = append(emoji, ae.(string))
+		e := ae.(string)
+		if strings.Contains(e, ".") {
+			// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
+			e = util.FilterUploadFileName(e)
+		}
+		emoji = append(emoji, e)
 	}
 
 	model.Conf.Editor.Emoji = emoji
diff --git a/kernel/model/box.go b/kernel/model/box.go
index 9eb1102f4..23b963ef6 100644
--- a/kernel/model/box.go
+++ b/kernel/model/box.go
@@ -699,6 +699,11 @@ func ChangeBoxSort(boxIDs []string) {
 }
 
 func SetBoxIcon(boxID, icon string) {
+	if strings.Contains(icon, ".") {
+		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
+		icon = util.FilterUploadFileName(icon)
+	}
+
 	box := &Box{ID: boxID}
 	boxConf := box.GetConf()
 	boxConf.Icon = icon
diff --git a/kernel/model/conf.go b/kernel/model/conf.go
index daeea45a3..feaabc449 100644
--- a/kernel/model/conf.go
+++ b/kernel/model/conf.go
@@ -231,6 +231,13 @@ func InitConf() {
 	if 1 > len(Conf.Editor.Emoji) {
 		Conf.Editor.Emoji = []string{}
 	}
+	for i, emoji := range Conf.Editor.Emoji {
+		if strings.Contains(emoji, ".") {
+			// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
+			emoji = util.FilterUploadFileName(emoji)
+			Conf.Editor.Emoji[i] = emoji
+		}
+	}
 	if 9 > Conf.Editor.FontSize || 72 < Conf.Editor.FontSize {
 		Conf.Editor.FontSize = 16
 	}