From 5c0cc375b47567e15edd2119066b09bb0aa18777 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Sun, 18 Jan 2026 10:15:48 +0800
Subject: [PATCH] :lock: Do not execute scripts in serving SVG by default to
 prevent XSS https://github.com/siyuan-note/siyuan/issues/16844

Signed-off-by: Daniel <845765@qq.com>
---
 kernel/api/icon.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/api/icon.go b/kernel/api/icon.go
index c0d56123d..f6f629ebc 100644
--- a/kernel/api/icon.go
+++ b/kernel/api/icon.go
@@ -164,6 +164,10 @@ func getDynamicIcon(c *gin.Context) {
 		svg = generateTypeOneSVG(color, lang, dateInfo)
 	}
 
+	if !model.Conf.Editor.AllowSVGScript {
+		svg = util.RemoveScriptsInSVG(svg)
+	}
+
 	c.Header("Content-Type", "image/svg+xml")
 	c.Header("Cache-Control", "no-cache")
 	c.Header("Pragma", "no-cache")