🔒 getDynamicIcon interface XSS vulnerability https://github.com/siyuan-note/siyuan/issues/17166

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-5hc8-qmg8-pw27

Signed-off-by: Daniel <845765@qq.com>

kernel/util/misc.go

@@ -247,7 +247,8 @@ func SanitizeSVG(svgInput string) string {
 			next := c.NextSibling
 			if c.Type == html.ElementNode {
 				tag := strings.ToLower(c.Data)
-				if tag == "script" || tag == "iframe" || tag == "object" || tag == "embed" || tag == "foreignobject" {
+				if tag == "script" || tag == "iframe" || tag == "object" || tag == "embed" || tag == "foreignobject" || "animate" == tag ||
+					"animatetransform" == tag || "animatecolor" == tag || "animatemotion" == tag || "set" == tag {
 					n.RemoveChild(c)
 					c = next
 					continue
@@ -266,6 +267,13 @@ func SanitizeSVG(svgInput string) string {
 							continue
 						}
 
+						if key == "values" || key == "from" || key == "to" {
+							// 删除 animate* 元素的 values、from、to 属性以防止恶意动画
+							if strings.Contains(val, "javascript:") {
+								continue
+							}
+						}
+
 						// 删除 href 或 xlink:href 指向 javascript: 或某些不安全的 data: URI
 						if key == "href" || key == "xlink:href" || key == "xlinkhref" {
 							if strings.HasPrefix(val, "javascript:") {