🔒 Some XSS vulnerabilities #13171

siyuan-note · Nov 17, 2024 · 096fea2 · 096fea2
1 parent 74db798
commit 096fea2
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 14 deletions.
diff --git a/kernel/filesys/tree.go b/kernel/filesys/tree.go
@@ -169,7 +169,7 @@ func LoadTreeByData(data []byte, boxID, p string, luteEngine *lute.Lute) (ret *p
 		if "" == title {
 			title = "Untitled"
 		}
-		hPathBuilder.WriteString(title)
+		hPathBuilder.WriteString(util.UnescapeHTML(title))
 		hPathBuilder.WriteString("/")
 	}
 	hPathBuilder.WriteString(ret.Root.IALAttr("title"))
@@ -301,13 +301,3 @@ func parseJSON2Tree(boxID, p string, jsonData []byte, luteEngine *lute.Lute) (re
 	}
 	return
 }
-
-func ReadDocIAL(data []byte) (ret map[string]string) {
-	ret = map[string]string{}
-	val := jsoniter.Get(data, "Properties")
-	if nil == val || val.ValueType() == jsoniter.InvalidValue {
-		return
-	}
-	val.ToVal(&ret)
-	return
-}
diff --git a/kernel/model/export.go b/kernel/model/export.go
@@ -3046,7 +3046,7 @@ func getExportBlockRefLinkText(blockRef *ast.Node, blockRefTextLeft, blockRefTex
 	if "" == linkText {
 		linkText = sql.GetRefText(defID)
 	}
-	linkText = html.UnescapeHTMLStr(linkText) // 块引锚文本导出时 `&` 变为实体 `&amp;` https://github.com/siyuan-note/siyuan/issues/7659
+	linkText = util.UnescapeHTML(linkText) // 块引锚文本导出时 `&` 变为实体 `&amp;` https://github.com/siyuan-note/siyuan/issues/7659
 	if Conf.Editor.BlockRefDynamicAnchorTextMaxLen < utf8.RuneCountInString(linkText) {
 		linkText = gulu.Str.SubStr(linkText, Conf.Editor.BlockRefDynamicAnchorTextMaxLen) + "..."
 	}

diff --git a/kernel/sql/block.go b/kernel/sql/block.go
@@ -253,11 +253,11 @@ func nodeStaticContent(node *ast.Node, excludeTypes []string, includeTextMarkATi
 			if n.IsTextMarkType("a") && includeTextMarkATitleURL {
 				// 搜索不到超链接元素的 URL 和标题 https://github.com/siyuan-note/siyuan/issues/7352
 				if "" != n.TextMarkATitle {
-					buf.WriteString(" " + html.UnescapeHTMLStr(n.TextMarkATitle))
+					buf.WriteString(" " + util.UnescapeHTML(n.TextMarkATitle))
 				}
 
 				if !strings.HasPrefix(n.TextMarkAHref, "assets/") || includeAssetPath {
-					buf.WriteString(" " + html.UnescapeHTMLStr(n.TextMarkAHref))
+					buf.WriteString(" " + util.UnescapeHTML(n.TextMarkAHref))
 				}
 			}
 		case ast.NodeBackslashContent:

diff --git a/kernel/util/misc.go b/kernel/util/misc.go
@@ -87,6 +87,16 @@ func EscapeHTML(s string) (ret string) {
 	return
 }
 
+func UnescapeHTML(s string) (ret string) {
+	ret = s
+	if "" == strings.TrimSpace(ret) {
+		return
+	}
+
+	ret = html.UnescapeString(ret)
+	return
+}
+
 func Reverse(s string) string {
 	runes := []rune(s)
 	for i, j := 0, len(runes)-1; i < j; i, j = i+1, j-1 {