🐛 Breadcrumb XSS https://github.com/siyuan-note/siyuan/issues/10753

2024-03-28 16:57:24 +08:00 · 2024-03-28 16:57:24 +08:00 · 42967694ef
commit 42967694ef
parent 62cc60c934
2 changed files with 22 additions and 4 deletions
--- a/kernel/model/blockinfo.go
+++ b/kernel/model/blockinfo.go
@ -366,6 +366,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
 			name = util.EscapeHTML(box.Name) + util.EscapeHTML(hPath)
 		} else if ast.NodeAttributeView == parent.Type {
 			name = treenode.GetAttributeViewName(parent.AttributeViewID)
+			name = util.EscapeHTML(name)
 		} else {
 			if "" == name {
 				if ast.NodeListItem == parent.Type {
@ -373,6 +374,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
 				} else {
 					name = gulu.Str.SubStr(renderBlockText(parent, excludeTypes), maxNameLen)
 				}
+				name = util.EscapeHTML(name)
 			}
 			if ast.NodeHeading == parent.Type {
 				headingLevel = parent.HeadingLevel
@ -389,6 +391,7 @@ func buildBlockBreadcrumb(node *ast.Node, excludeTypes []string) (ret []*BlockPa
 		if ast.NodeListItem == parent.Type {
 			if "" == name {
 				name = gulu.Str.SubStr(renderBlockText(fc, excludeTypes), maxNameLen)
+				name = util.EscapeHTML(name)
 			}
 		}

--- a/kernel/util/misc.go
+++ b/kernel/util/misc.go
@ -42,11 +42,26 @@ func RemoveElem[T any](s []T, index int) []T {
 	return append(s[:index], s[index+1:]...)
 }

-func EscapeHTML(s string) string {
-	if ContainsSubStr(s, []string{"&amp;", "&#39;", "&lt;", "&gt;", "&#34;", "&#13;"}) {
-		return s
+func EscapeHTML(s string) (ret string) {
+	ret = s
+	if "" == strings.TrimSpace(ret) {
+		return
 	}
-	return html.EscapeString(s)
+
+	ret = strings.ReplaceAll(ret, "&amp;", "__@amp__")
+	ret = strings.ReplaceAll(ret, "&#39;", "__@39__")
+	ret = strings.ReplaceAll(ret, "&lt;", "__@lt__")
+	ret = strings.ReplaceAll(ret, "&gt;", "__@gt__")
+	ret = strings.ReplaceAll(ret, "&#34;", "__@34__")
+	ret = strings.ReplaceAll(ret, "&#13;", "__@13__")
+	ret = html.EscapeString(ret)
+	ret = strings.ReplaceAll(ret, "__@amp__", "&amp;")
+	ret = strings.ReplaceAll(ret, "__@39__", "&#39;")
+	ret = strings.ReplaceAll(ret, "__@lt__", "&lt;")
+	ret = strings.ReplaceAll(ret, "__@gt__", "&gt;")
+	ret = strings.ReplaceAll(ret, "__@34__", "&#34;")
+	ret = strings.ReplaceAll(ret, "__@13__", "&#13;")
+	return
 }

 func Reverse(s string) string {