🔒 Do not execute scripts in serving SVG by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/16844

Signed-off-by: Daniel <845765@qq.com>
2026-03-03 02:37:02 +00:00 · 2026-01-18 10:15:48 +08:00
parent dbeb703ad1
commit 5c0cc375b4
1 changed files with 4 additions and 0 deletions
--- a/kernel/api/icon.go
+++ b/kernel/api/icon.go
@@ -164,6 +164,10 @@ func getDynamicIcon(c *gin.Context) {
 		svg = generateTypeOneSVG(color, lang, dateInfo)
 	}

+	if !model.Conf.Editor.AllowSVGScript {
+		svg = util.RemoveScriptsInSVG(svg)
+	}
+
 	c.Header("Content-Type", "image/svg+xml")
 	c.Header("Cache-Control", "no-cache")
 	c.Header("Pragma", "no-cache")