Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2026-03-12 15:42:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🔒 XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034 https://github.com/siyuan-note/siyuan/pull/15041

Browse source
This commit is contained in:
Daniel 2025-06-17 17:00:29 +08:00
parent 3a991f8075
commit 526e436fbc
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
3 changed files with 18 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
kernel/model/box.go
View file

@ -699,6 +699,11 @@ func ChangeBoxSort(boxIDs []string) {
}
func SetBoxIcon(boxID, icon string) {
if strings.Contains(icon, ".") {
// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
icon = util.FilterUploadFileName(icon)
}
box := &Box{ID: boxID}
boxConf := box.GetConf()
boxConf.Icon = icon