Описание
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
Summary
Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input.
Details
The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript.
PoC
Payload: test</text><script>alert(window.origin)</script><text>
-
Open any note and click Change Icon -> Dynamic (Text).
-
Change color and paste the payload into the Custom field and click on this icon.
-
Intercept and send the request or get path from devtools
- The JavaScript payload executes afted open URL.
Impact
Arbitrary JavaScript execution in the user's session context if the SVG is loaded directly. It also prevents using legitimate characters like < or > in icon text.
Note
Tested version:
Пакеты
github.com/siyuan-note/siyuan/kernel
< 0.0.0-20260118021606-5c0cc375b475
0.0.0-20260118021606-5c0cc375b475
Связанные уязвимости
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]