From a2a46f8f392d7da433ecc8446213b546474582a4 Mon Sep 17 00:00:00 2001 From: Daniel <845765@qq.com> Date: Fri, 15 Nov 2024 22:42:33 +0800 Subject: [PATCH] :art: Improve escaping https://github.com/siyuan-note/siyuan/issues/13135 --- kernel/model/search.go | 7 +++---- kernel/search/mark.go | 5 +---- kernel/util/misc.go | 14 -------------- 3 files changed, 4 insertions(+), 22 deletions(-) diff --git a/kernel/model/search.go b/kernel/model/search.go index 12ffb6ae4..00439468f 100644 --- a/kernel/model/search.go +++ b/kernel/model/search.go @@ -618,11 +618,11 @@ func FindReplace(keyword, replacement string, replaceTypes map[string]bool, ids if 0 == method { if strings.Contains(n.TextMarkTextContent, escapedKey) { - n.TextMarkTextContent = strings.ReplaceAll(n.TextMarkTextContent, escapedKey, replacement) + n.TextMarkTextContent = strings.ReplaceAll(n.TextMarkTextContent, escapedKey, util.EscapeHTML(replacement)) } } else if 3 == method { if nil != escapedR && escapedR.MatchString(n.TextMarkTextContent) { - n.TextMarkTextContent = escapedR.ReplaceAllString(n.TextMarkTextContent, replacement) + n.TextMarkTextContent = escapedR.ReplaceAllString(n.TextMarkTextContent, util.EscapeHTML(replacement)) } } } else if n.IsTextMarkType("a") { @@ -1559,12 +1559,11 @@ func fromSQLBlock(sqlBlock *sql.Block, terms string, beforeLen int) (block *Bloc } } - content = util.EscapeHTML(content) // Search dialog XSS https://github.com/siyuan-note/siyuan/issues/8525 content, _ = markSearch(content, terms, beforeLen) content = maxContent(content, 5120) tag, _ := markSearch(sqlBlock.Tag, terms, beforeLen) markdown := maxContent(sqlBlock.Markdown, 5120) - fContent := util.EscapeHTML(sqlBlock.FContent) // fContent 会用于和 content 对比,在反链计算时用于判断是否是列表项下第一个子块,所以也需要转义 https://github.com/siyuan-note/siyuan/issues/11001 + fContent := sqlBlock.FContent block = &Block{ Box: sqlBlock.Box, Path: sqlBlock.Path, diff --git a/kernel/search/mark.go b/kernel/search/mark.go index f363a7a60..5cafc52c0 100644 --- a/kernel/search/mark.go +++ b/kernel/search/mark.go @@ -23,16 +23,13 @@ import ( "unicode/utf8" "github.com/88250/gulu" - "github.com/88250/lute/lex" - "github.com/siyuan-note/siyuan/kernel/util" ) func MarkText(text string, keyword string, beforeLen int, caseSensitive bool) (pos int, marked string) { if "" == keyword { - return -1, util.EscapeHTML(text) + return -1, text } - text = util.EscapeHTML(text) keywords := SplitKeyword(keyword) marked = EncloseHighlighting(text, keywords, "", "", caseSensitive, false) diff --git a/kernel/util/misc.go b/kernel/util/misc.go index ac392fb3e..471aa4551 100644 --- a/kernel/util/misc.go +++ b/kernel/util/misc.go @@ -83,21 +83,7 @@ func EscapeHTML(s string) (ret string) { return } - ret = strings.ReplaceAll(ret, "&", "__@amp__") - ret = strings.ReplaceAll(ret, "'", "__@39__") - ret = strings.ReplaceAll(ret, "<", "__@lt__") - ret = strings.ReplaceAll(ret, ">", "__@gt__") - ret = strings.ReplaceAll(ret, """, "__@34__") - ret = strings.ReplaceAll(ret, " ", "__@13__") ret = html.EscapeString(ret) - ret = strings.ReplaceAll(ret, "__@amp__", "&") - ret = strings.ReplaceAll(ret, "__@39__", "'") - ret = strings.ReplaceAll(ret, "__@lt__", "<") - ret = strings.ReplaceAll(ret, "__@gt__", ">") - ret = strings.ReplaceAll(ret, "__@34__", """) - ret = strings.ReplaceAll(ret, "__@13__", " ") - ret = strings.ReplaceAll(ret, "<", "&lt;") - ret = strings.ReplaceAll(ret, ">", "&gt;") return }