Merge remote-tracking branch 'origin/dev' into dev

kernel/api/block.go

@@ -627,10 +627,6 @@ func getBlockInfo(c *gin.Context) {
 	rootTitle := root.IAL["title"]
 	rootTitle = html.UnescapeString(rootTitle)
 	icon := root.IAL["icon"]
-	if strings.Contains(icon, ".") {
-		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
-		icon = util.FilterUploadEmojiFileName(icon)
-	}
 	ret.Data = map[string]string{
 		"box":         block.Box,
 		"path":        block.Path,

kernel/filesys/json_parser.go

@@ -25,6 +25,7 @@ import (
 	"github.com/88250/lute/editor"
 	"github.com/88250/lute/parse"
 	"github.com/siyuan-note/siyuan/kernel/treenode"
+	"github.com/siyuan-note/siyuan/kernel/util"
 )
 
 func ParseJSONWithoutFix(jsonData []byte, options *parse.Options) (ret *parse.Tree, err error) {
@@ -57,6 +58,14 @@ func ParseJSON(jsonData []byte, options *parse.Options) (ret *parse.Tree, needFi
 	}
 
 	ret = &parse.Tree{Name: "", ID: root.ID, Root: &ast.Node{Type: ast.NodeDocument, ID: root.ID, Spec: root.Spec}, Context: &parse.Context{ParseOption: options}}
+	if icon := root.Properties["icon"]; "" != icon {
+		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
+		if newIcon := util.FilterUploadEmojiFileName(icon); newIcon != icon {
+			root.Properties["icon"] = newIcon
+			needFix = true
+		}
+	}
+
 	ret.Root.KramdownIAL = parse.Map2IAL(root.Properties)
 	ret.Root.SetIALAttr("type", "doc")
 	for _, kv := range ret.Root.KramdownIAL {

kernel/go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/88250/epub v0.0.0-20230830085737-c19055cd1f48
 	github.com/88250/go-humanize v0.0.0-20240424102817-4f78fac47ea7
 	github.com/88250/gulu v1.2.3-0.20250227144607-7f4570b0d689
-	github.com/88250/lute v1.7.7-0.20250622030929-fb99373b041d
+	github.com/88250/lute v1.7.7-0.20250625044303-5ab6277d58be
 	github.com/88250/vitess-sqlparser v0.0.0-20210205111146-56a2ded2aba1
 	github.com/ClarkThan/ahocorasick v0.0.0-20231011042242-30d1ef1347f4
 	github.com/ConradIrwin/font v0.2.1

kernel/go.sum

@@ -14,8 +14,8 @@ github.com/88250/go-sqlite3 v1.14.13-0.20231214121541-e7f54c482950 h1:Pa5hMiBceT
 github.com/88250/go-sqlite3 v1.14.13-0.20231214121541-e7f54c482950/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/88250/gulu v1.2.3-0.20250227144607-7f4570b0d689 h1:39y5g7vnFAIcXhTN3IXPk7h2xBhC4a9hBTykDhHJqRY=
 github.com/88250/gulu v1.2.3-0.20250227144607-7f4570b0d689/go.mod h1:c8uVw25vW2W4dhJ/j4iYsX5H1hc19spim266jO5x2hU=
-github.com/88250/lute v1.7.7-0.20250622030929-fb99373b041d h1:qhAsohKw5Jyo7wW64uKCgj+EAhaEGjb7DzBnURndU8I=
-github.com/88250/lute v1.7.7-0.20250622030929-fb99373b041d/go.mod h1:WYyUw//5yVw9BJnoVjx7rI/3szsISxNZCYGOqTIrV0o=
+github.com/88250/lute v1.7.7-0.20250625044303-5ab6277d58be h1:iZRHLhrEvLV+p1cfDHz2vdpr4tgWRP26TYaKqczJCtE=
+github.com/88250/lute v1.7.7-0.20250625044303-5ab6277d58be/go.mod h1:WYyUw//5yVw9BJnoVjx7rI/3szsISxNZCYGOqTIrV0o=
 github.com/88250/pdfcpu v0.3.14-0.20250424122812-f10e8d9d8d46 h1:Bq1JsDfVbHKUxNL/B2JXd8cC/1h6aFjrlXpGycnh0Hk=
 github.com/88250/pdfcpu v0.3.14-0.20250424122812-f10e8d9d8d46/go.mod h1:fVfOloBzs2+W2VJCCbq60XIxc3yJHAZ0Gahv1oO0gyI=
 github.com/88250/vitess-sqlparser v0.0.0-20210205111146-56a2ded2aba1 h1:48T899JQDwyyRu9yXHePYlPdHtpJfrJEUGBMH3SMBWY=

kernel/model/blockinfo.go

@@ -65,13 +65,6 @@ func GetDocInfo(blockID string) (ret *BlockInfo) {
 	title := tree.Root.IALAttr("title")
 	ret = &BlockInfo{ID: blockID, RootID: tree.Root.ID, Name: title}
 	ret.IAL = parse.IAL2Map(tree.Root.KramdownIAL)
-	icon := ret.IAL["icon"]
-	if strings.Contains(icon, ".") {
-		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
-		icon = util.FilterUploadEmojiFileName(icon)
-		ret.IAL["icon"] = icon
-	}
-
 	scrollData := ret.IAL["scroll"]
 	if 0 < len(scrollData) {
 		scroll := map[string]interface{}{}
@@ -138,12 +131,7 @@ func GetDocInfo(blockID string) (ret *BlockInfo) {
 		}
 	}
 	ret.SubFileCount = subFileCount
-	icon = tree.Root.IALAttr("icon")
-	if strings.Contains(icon, ".") {
-		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
-		icon = util.FilterUploadEmojiFileName(icon)
-	}
-	ret.Icon = icon
+	ret.Icon = tree.Root.IALAttr("icon")
 	return
 }
 

kernel/model/file.go

@@ -80,12 +80,7 @@ func (box *Box) docFromFileInfo(fileInfo *FileInfo, ial map[string]string) (ret
 	ret.Path = fileInfo.path
 	ret.Size = uint64(fileInfo.size)
 	ret.Name = ial["title"] + ".sy"
-	icon := ial["icon"]
-	if strings.Contains(icon, ".") {
-		// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
-		icon = util.FilterUploadEmojiFileName(icon)
-	}
-	ret.Icon = icon
+	ret.Icon = ial["icon"]
 	ret.ID = ial["id"]
 	ret.Name1 = ial["name"]
 	ret.Alias = ial["alias"]