Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-26 19:38:48 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🔒 XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034

Browse source
This commit is contained in:
Daniel 2025-06-25 11:34:12 +08:00
parent 3c00382811
commit 8d9e786c77
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
kernel/model/import.go
View file

@ -180,6 +180,13 @@ func ImportSY(zipPath, boxID, toPath string) (err error) {
blockIDs[n.ID] = newNodeID
n.ID = newNodeID
n.SetIALAttr("id", newNodeID)
if icon := n.IALAttr("icon"); "" != icon {
// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
icon = util.FilterUploadEmojiFileName(icon)
n.SetIALAttr("icon", icon)
}
return ast.WalkContinue
})
tree.ID = tree.Root.ID