Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-28 12:28:48 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🔒 XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034

Browse source
This commit is contained in:
Daniel 2025-06-25 12:52:34 +08:00
parent 2fb8e373af
commit 9718d3b1c8
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
1 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
kernel/model/blockial.go
View file

@ -250,6 +250,21 @@ func setNodeAttrs0(node *ast.Node, nameValues map[string]string) (oldAttrs map[s
func pushBroadcastAttrTransactions(oldAttrs map[string]string, node *ast.Node) {
newAttrs := parse.IAL2Map(node.KramdownIAL)
// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
for name, value := range oldAttrs {
if "icon" == name {
value = util.FilterUploadEmojiFileName(value)
oldAttrs[name] = value
}
}
for name, value := range newAttrs {
if "icon" == name {
value = util.FilterUploadEmojiFileName(value)
newAttrs[name] = value
}
}
data := map[string]interface{}{"old": oldAttrs, "new": newAttrs}
if "" != node.AttributeViewType {
data["data-av-type"] = node.AttributeViewType