From db186390800d435d689fd40022d6042b0822aa66 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Sun, 15 Jun 2025 17:06:43 +0800
Subject: [PATCH] :lock: XSS through emoji name
 https://github.com/siyuan-note/siyuan/issues/15034

---
 kernel/api/system.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/api/system.go b/kernel/api/system.go
index 47d02a0f4..63430354f 100644
--- a/kernel/api/system.go
+++ b/kernel/api/system.go
@@ -165,7 +165,7 @@ func getEmojiConf(c *gin.Context) {
 		} else {
 			for _, customEmoji := range customEmojis {
 				name := customEmoji.Name()
-				if strings.HasPrefix(name, ".") || strings.Contains(name, "<") {
+				if strings.HasPrefix(name, ".") || strings.ContainsAny(name, "<\"") {
 					continue
 				}
 
@@ -183,7 +183,7 @@ func getEmojiConf(c *gin.Context) {
 						}
 
 						name = subCustomEmoji.Name()
-						if strings.HasPrefix(name, ".") || strings.Contains(name, "<") {
+						if strings.HasPrefix(name, ".") || strings.ContainsAny(name, "<\"") {
 							continue
 						}