Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-16 14:40:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🎨 Fix XSS in the tag name https://github.com/siyuan-note/siyuan/issues/13168

Browse source
This commit is contained in:
Daniel 2024-11-18 15:19:41 +08:00
parent a3e3809e07
commit 732ee2eef3
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
kernel/sql/asset.go
View file

@ -21,9 +21,8 @@ import (
"path/filepath" "path/filepath"
"strings" "strings"
"github.com/siyuan-note/filelock"
"github.com/88250/lute/ast" "github.com/88250/lute/ast"
"github.com/siyuan-note/filelock"
"github.com/siyuan-note/logging" "github.com/siyuan-note/logging"
"github.com/siyuan-note/siyuan/kernel/treenode" "github.com/siyuan-note/siyuan/kernel/treenode"
"github.com/siyuan-note/siyuan/kernel/util" "github.com/siyuan-note/siyuan/kernel/util"
@ -45,14 +44,15 @@ func docTagSpans(n *ast.Node) (ret []*Span) {
if tagsVal := n.IALAttr("tags"); "" != tagsVal { if tagsVal := n.IALAttr("tags"); "" != tagsVal {
tags := strings.Split(tagsVal, ",") tags := strings.Split(tagsVal, ",")
for _, tag := range tags { for _, tag := range tags {
markdown := "#" + tag + "#" escaped := util.EscapeHTML(tag)
markdown := "#" + escaped + "#"
span := &Span{ span := &Span{
ID: ast.NewNodeID(), ID: ast.NewNodeID(),
BlockID: n.ID, BlockID: n.ID,
RootID: n.ID, RootID: n.ID,
Box: n.Box, Box: n.Box,
Path: n.Path, Path: n.Path,
Content: tag, Content: escaped,
Markdown: markdown, Markdown: markdown,
Type: "tag", Type: "tag",
IAL: "", IAL: "",