Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2026-01-29 03:36:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🔒 Do not execute scripts in serving SVG by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/16844

Browse source 
Signed-off-by: Daniel <845765@qq.com>
This commit is contained in:
Daniel 2026-01-18 10:15:48 +08:00
parent dbeb703ad1
commit 5c0cc375b4
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
kernel/api/icon.go
View file

@ -164,6 +164,10 @@ func getDynamicIcon(c *gin.Context) {
svg = generateTypeOneSVG(color, lang, dateInfo)
}
if !model.Conf.Editor.AllowSVGScript {
svg = util.RemoveScriptsInSVG(svg)
}
c.Header("Content-Type", "image/svg+xml")
c.Header("Cache-Control", "no-cache")
c.Header("Pragma", "no-cache")