From 9c4b184bef924f76b4f036663111246f5fb7c95f Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Mon, 9 Mar 2026 16:10:44 +0800
Subject: [PATCH] :lock: `getDynamicIcon` interface XSS vulnerability
 https://github.com/siyuan-note/siyuan/issues/17166
 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-5hc8-qmg8-pw27

Signed-off-by: Daniel <845765@qq.com>
---
 kernel/util/misc.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/kernel/util/misc.go b/kernel/util/misc.go
index d097c1621..baee4dc8f 100644
--- a/kernel/util/misc.go
+++ b/kernel/util/misc.go
@@ -247,7 +247,8 @@ func SanitizeSVG(svgInput string) string {
 			next := c.NextSibling
 			if c.Type == html.ElementNode {
 				tag := strings.ToLower(c.Data)
-				if tag == "script" || tag == "iframe" || tag == "object" || tag == "embed" || tag == "foreignobject" {
+				if tag == "script" || tag == "iframe" || tag == "object" || tag == "embed" || tag == "foreignobject" || "animate" == tag ||
+					"animatetransform" == tag || "animatecolor" == tag || "animatemotion" == tag || "set" == tag {
 					n.RemoveChild(c)
 					c = next
 					continue
@@ -266,6 +267,13 @@ func SanitizeSVG(svgInput string) string {
 							continue
 						}
 
+						if key == "values" || key == "from" || key == "to" {
+							// 删除 animate* 元素的 values、from、to 属性以防止恶意动画
+							if strings.Contains(val, "javascript:") {
+								continue
+							}
+						}
+
 						// 删除 href 或 xlink:href 指向 javascript: 或某些不安全的 data: URI
 						if key == "href" || key == "xlink:href" || key == "xlinkhref" {
 							if strings.HasPrefix(val, "javascript:") {