From 8d9e786c772e78a54518c1cce30feca2d6f204be Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Wed, 25 Jun 2025 11:34:12 +0800
Subject: [PATCH] :lock: XSS through emoji name
 https://github.com/siyuan-note/siyuan/issues/15034

---
 kernel/model/import.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/model/import.go b/kernel/model/import.go
index d2b0b3f46..f734fa3a3 100644
--- a/kernel/model/import.go
+++ b/kernel/model/import.go
@@ -180,6 +180,13 @@ func ImportSY(zipPath, boxID, toPath string) (err error) {
 			blockIDs[n.ID] = newNodeID
 			n.ID = newNodeID
 			n.SetIALAttr("id", newNodeID)
+
+			if icon := n.IALAttr("icon"); "" != icon {
+				// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
+				icon = util.FilterUploadEmojiFileName(icon)
+				n.SetIALAttr("icon", icon)
+			}
+
 			return ast.WalkContinue
 		})
 		tree.ID = tree.Root.ID