From 8653f7ee617c3c3677ab5eb843b4e0008a4c1f54 Mon Sep 17 00:00:00 2001 From: Daniel <845765@qq.com> Date: Sun, 17 Nov 2024 10:57:23 +0800 Subject: [PATCH] :art: Fix XSS in the tag name https://github.com/siyuan-note/siyuan/issues/13168 --- kernel/model/search.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/kernel/model/search.go b/kernel/model/search.go index 00439468f..6a130cc21 100644 --- a/kernel/model/search.go +++ b/kernel/model/search.go @@ -1502,21 +1502,20 @@ func highlightByRegexp(query, typeFilter, id string) (ret []string) { func markSearch(text string, keyword string, beforeLen int) (marked string, score float64) { if 0 == len(keyword) { - marked = text - - if strings.Contains(marked, search.SearchMarkLeft) { // 使用 FTS snippet() 处理过高亮片段,这里简单替换后就返回 + if strings.Contains(text, search.SearchMarkLeft) { // 使用 FTS snippet() 处理过高亮片段,这里简单替换后就返回 marked = util.EscapeHTML(text) marked = strings.ReplaceAll(marked, search.SearchMarkLeft, "") marked = strings.ReplaceAll(marked, search.SearchMarkRight, "") return } - keywords := gulu.Str.SubstringsBetween(marked, search.SearchMarkLeft, search.SearchMarkRight) + keywords := gulu.Str.SubstringsBetween(text, search.SearchMarkLeft, search.SearchMarkRight) keywords = gulu.Str.RemoveDuplicatedElem(keywords) keyword = strings.Join(keywords, search.TermSep) - marked = strings.ReplaceAll(marked, search.SearchMarkLeft, "") + marked = strings.ReplaceAll(text, search.SearchMarkLeft, "") marked = strings.ReplaceAll(marked, search.SearchMarkRight, "") _, marked = search.MarkText(marked, keyword, beforeLen, Conf.Search.CaseSensitive) + marked = util.EscapeHTML(marked) return }