SiYuan SVG Sanitizer Bypass Leading to Unauthenticated Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SiYuan versions prior to 3.5.10. The issue arises in the application's SVG sanitizer, which fails to properly validate href attributes for the 'javascript:' prefix. By inserting ASCII tab, newline, or carriage return characters into the 'javascript:' string, an attacker can bypass the prefix check. This exploitation takes advantage of how browsers process and strip these characters before interpreting the URL, allowing injected JavaScript to execute. The vulnerability is present in the '/api/icon/getDynamicIcon' endpoint and represents a second bypass of a previous fix for a related vulnerability.

Impact

Exploitation of this vulnerability allows for unauthenticated reflected cross-site scripting, with executed scripts running in the context of the SiYuan application.

Reproduction

To reproduce this vulnerability, send a GET request to the '/api/icon/getDynamicIcon' endpoint with a 'type' parameter set to '8' and a 'content' parameter that includes an SVG link element. The href attribute of the link should contain a 'javascript:' URL with an embedded tab, newline, or carriage return character, such as 'java\tscript:alert(document.domain)'. When the SVG is rendered and the link is clicked, the JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to SiYuan version 3.5.10 or later, where this vulnerability has been fixed.