Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-18 07:30:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🔒 XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034 https://github.com/siyuan-note/siyuan/pull/15041

Browse source
This commit is contained in:
Daniel 2025-06-17 11:18:38 +08:00
parent 76d3fa3895
commit f95d3b99bd
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
kernel/model/box.go
View file

@ -127,10 +127,16 @@ func ListNotebooks() (ret []*Box, err error) {
} }
id := dir.Name() id := dir.Name()
icon := boxConf.Icon
if strings.Contains(icon, ".") { // 说明是自定义图标
// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
icon = util.FilterUploadFileName(icon)
}
box := &Box{ box := &Box{
ID: id, ID: id,
Name: boxConf.Name, Name: boxConf.Name,
Icon: boxConf.Icon, Icon: icon,
Sort: boxConf.Sort, Sort: boxConf.Sort,
SortMode: boxConf.SortMode, SortMode: boxConf.SortMode,
Closed: boxConf.Closed, Closed: boxConf.Closed,