From 9718d3b1c8274be6d30aedf2ba2e2513cdbcaa12 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Wed, 25 Jun 2025 12:52:34 +0800
Subject: [PATCH] :lock: XSS through emoji name
 https://github.com/siyuan-note/siyuan/issues/15034

---
 kernel/model/blockial.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/kernel/model/blockial.go b/kernel/model/blockial.go
index 2d64f1bd3..24c6fb9f6 100644
--- a/kernel/model/blockial.go
+++ b/kernel/model/blockial.go
@@ -250,6 +250,21 @@ func setNodeAttrs0(node *ast.Node, nameValues map[string]string) (oldAttrs map[s
 
 func pushBroadcastAttrTransactions(oldAttrs map[string]string, node *ast.Node) {
 	newAttrs := parse.IAL2Map(node.KramdownIAL)
+
+	// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
+	for name, value := range oldAttrs {
+		if "icon" == name {
+			value = util.FilterUploadEmojiFileName(value)
+			oldAttrs[name] = value
+		}
+	}
+	for name, value := range newAttrs {
+		if "icon" == name {
+			value = util.FilterUploadEmojiFileName(value)
+			newAttrs[name] = value
+		}
+	}
+
 	data := map[string]interface{}{"old": oldAttrs, "new": newAttrs}
 	if "" != node.AttributeViewType {
 		data["data-av-type"] = node.AttributeViewType