Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-17 23:20:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🎨 Improve escaping https://github.com/siyuan-note/siyuan/issues/13135

Browse source
This commit is contained in:
Daniel 2024-11-15 22:42:33 +08:00
parent 7b342fc004
commit a2a46f8f39
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
3 changed files with 4 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

7
kernel/model/search.go
View file

@ -618,11 +618,11 @@ func FindReplace(keyword, replacement string, replaceTypes map[string]bool, ids
if 0 == method { if 0 == method {
if strings.Contains(n.TextMarkTextContent, escapedKey) { if strings.Contains(n.TextMarkTextContent, escapedKey) {
n.TextMarkTextContent = strings.ReplaceAll(n.TextMarkTextContent, escapedKey, replacement) n.TextMarkTextContent = strings.ReplaceAll(n.TextMarkTextContent, escapedKey, util.EscapeHTML(replacement))
} }
} else if 3 == method { } else if 3 == method {
if nil != escapedR && escapedR.MatchString(n.TextMarkTextContent) { if nil != escapedR && escapedR.MatchString(n.TextMarkTextContent) {
n.TextMarkTextContent = escapedR.ReplaceAllString(n.TextMarkTextContent, replacement) n.TextMarkTextContent = escapedR.ReplaceAllString(n.TextMarkTextContent, util.EscapeHTML(replacement))
} }
} }
} else if n.IsTextMarkType("a") { } else if n.IsTextMarkType("a") {
@ -1559,12 +1559,11 @@ func fromSQLBlock(sqlBlock *sql.Block, terms string, beforeLen int) (block *Bloc
} }
} }
content = util.EscapeHTML(content) // Search dialog XSS https://github.com/siyuan-note/siyuan/issues/8525
content, _ = markSearch(content, terms, beforeLen) content, _ = markSearch(content, terms, beforeLen)
content = maxContent(content, 5120) content = maxContent(content, 5120)
tag, _ := markSearch(sqlBlock.Tag, terms, beforeLen) tag, _ := markSearch(sqlBlock.Tag, terms, beforeLen)
markdown := maxContent(sqlBlock.Markdown, 5120) markdown := maxContent(sqlBlock.Markdown, 5120)
fContent := util.EscapeHTML(sqlBlock.FContent) // fContent 会用于和 content 对比,在反链计算时用于判断是否是列表项下第一个子块,所以也需要转义 https://github.com/siyuan-note/siyuan/issues/11001 fContent := sqlBlock.FContent
block = &Block{ block = &Block{
Box: sqlBlock.Box, Box: sqlBlock.Box,
Path: sqlBlock.Path, Path: sqlBlock.Path,

5
kernel/search/mark.go
View file

@ -23,16 +23,13 @@ import (
"unicode/utf8" "unicode/utf8"
"github.com/88250/gulu" "github.com/88250/gulu"
"github.com/88250/lute/lex" "github.com/88250/lute/lex"
"github.com/siyuan-note/siyuan/kernel/util"
) )
func MarkText(text string, keyword string, beforeLen int, caseSensitive bool) (pos int, marked string) { func MarkText(text string, keyword string, beforeLen int, caseSensitive bool) (pos int, marked string) {
if "" == keyword { if "" == keyword {
return -1, util.EscapeHTML(text) return -1, text
} }
text = util.EscapeHTML(text)
keywords := SplitKeyword(keyword) keywords := SplitKeyword(keyword)
marked = EncloseHighlighting(text, keywords, "<mark>", "</mark>", caseSensitive, false) marked = EncloseHighlighting(text, keywords, "<mark>", "</mark>", caseSensitive, false)

14
kernel/util/misc.go
View file

@ -83,21 +83,7 @@ func EscapeHTML(s string) (ret string) {
return return
} }
ret = strings.ReplaceAll(ret, "&amp;", "__@amp__")
ret = strings.ReplaceAll(ret, "&#39;", "__@39__")
ret = strings.ReplaceAll(ret, "&lt;", "__@lt__")
ret = strings.ReplaceAll(ret, "&gt;", "__@gt__")
ret = strings.ReplaceAll(ret, "&#34;", "__@34__")
ret = strings.ReplaceAll(ret, "&#13;", "__@13__")
ret = html.EscapeString(ret) ret = html.EscapeString(ret)
ret = strings.ReplaceAll(ret, "__@amp__", "&amp;")
ret = strings.ReplaceAll(ret, "__@39__", "&#39;")
ret = strings.ReplaceAll(ret, "__@lt__", "&lt;")
ret = strings.ReplaceAll(ret, "__@gt__", "&gt;")
ret = strings.ReplaceAll(ret, "__@34__", "&#34;")
ret = strings.ReplaceAll(ret, "__@13__", "&#13;")
ret = strings.ReplaceAll(ret, "&lt;", "&amp;lt;")
ret = strings.ReplaceAll(ret, "&gt;", "&amp;gt;")
return return
} }