0ct0pu5/siyuan
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

🎨 Fix XSS in the tag name https://github.com/siyuan-note/siyuan/issues/13168

Browse source
This commit is contained in:
Daniel 2024-11-18 15:19:41 +08:00
parent a3e3809e07
commit 732ee2eef3
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
kernel/sql/asset.go
View file

@ -21,9 +21,8 @@ import (
"path/filepath"
"strings"
"github.com/siyuan-note/filelock"
"github.com/88250/lute/ast"
"github.com/siyuan-note/filelock"
"github.com/siyuan-note/logging"
"github.com/siyuan-note/siyuan/kernel/treenode"
"github.com/siyuan-note/siyuan/kernel/util"
@ -45,14 +44,15 @@ func docTagSpans(n *ast.Node) (ret []*Span) {
if tagsVal := n.IALAttr("tags"); "" != tagsVal {
tags := strings.Split(tagsVal, ",")
for _, tag := range tags {
markdown := "#" + tag + "#"
escaped := util.EscapeHTML(tag)
markdown := "#" + escaped + "#"
span := &Span{
ID: ast.NewNodeID(),
BlockID: n.ID,
RootID: n.ID,
Box: n.Box,
Path: n.Path,
Content: tag,
Content: escaped,
Markdown: markdown,
Type: "tag",
IAL: "",