From 77efc5cca4df46b88d4d5a9e3f4bd4af776b5f90 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Mon, 30 Dec 2024 23:09:00 +0800
Subject: [PATCH] :lock: XSS through emoji name
 https://github.com/siyuan-note/siyuan/issues/13658

---
 kernel/api/system.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/api/system.go b/kernel/api/system.go
index b0b5c4376..14c986b32 100644
--- a/kernel/api/system.go
+++ b/kernel/api/system.go
@@ -162,7 +162,7 @@ func getEmojiConf(c *gin.Context) {
 		} else {
 			for _, customEmoji := range customEmojis {
 				name := customEmoji.Name()
-				if strings.HasPrefix(name, ".") {
+				if strings.HasPrefix(name, ".") || strings.Contains(name, "<") {
 					continue
 				}
 
@@ -180,7 +180,7 @@ func getEmojiConf(c *gin.Context) {
 						}
 
 						name = subCustomEmoji.Name()
-						if strings.HasPrefix(name, ".") {
+						if strings.HasPrefix(name, ".") || strings.Contains(name, "<") {
 							continue
 						}