From 732ee2eef3fe8d587d60a676856d1d818ee2af1e Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Mon, 18 Nov 2024 15:19:41 +0800
Subject: [PATCH] :art: Fix XSS in the tag name
 https://github.com/siyuan-note/siyuan/issues/13168

---
 kernel/sql/asset.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/sql/asset.go b/kernel/sql/asset.go
index 6e933d5df..98d715c65 100644
--- a/kernel/sql/asset.go
+++ b/kernel/sql/asset.go
@@ -21,9 +21,8 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/siyuan-note/filelock"
-
 	"github.com/88250/lute/ast"
+	"github.com/siyuan-note/filelock"
 	"github.com/siyuan-note/logging"
 	"github.com/siyuan-note/siyuan/kernel/treenode"
 	"github.com/siyuan-note/siyuan/kernel/util"
@@ -45,14 +44,15 @@ func docTagSpans(n *ast.Node) (ret []*Span) {
 	if tagsVal := n.IALAttr("tags"); "" != tagsVal {
 		tags := strings.Split(tagsVal, ",")
 		for _, tag := range tags {
-			markdown := "#" + tag + "#"
+			escaped := util.EscapeHTML(tag)
+			markdown := "#" + escaped + "#"
 			span := &Span{
 				ID:       ast.NewNodeID(),
 				BlockID:  n.ID,
 				RootID:   n.ID,
 				Box:      n.Box,
 				Path:     n.Path,
-				Content:  tag,
+				Content:  escaped,
 				Markdown: markdown,
 				Type:     "tag",
 				IAL:      "",