SiYuan Knowledge Management System Reflected Cross-Site Scripting Vulnerability in SVG Sanitization

A reflected cross-site scripting vulnerability has been identified in SiYuan, a personal knowledge management system, specifically in versions 3.6.0 prior to 3.6.2. The issue arises in the 'SanitizeSVG' function, which was introduced in version 3.6.0 to address cross-site scripting in the unauthenticated '/api/icon/getDynamicIcon' endpoint. The vulnerability can be exploited by using namespace-prefixed element names, such as '<x:script xmlns:x="http://www.w3.org/2000/svg">'. The Go HTML5 parser interprets the element's tag as 'x:script' instead of 'script', allowing the tag to bypass validation. As a result, SVG files are served with a 'Content-Type' of 'image/svg+xml' and without a Content Security Policy. When a browser directly opens the response, the XML parser executes the embedded script after resolving the prefix to the SVG namespace.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser session.

Reproduction

To reproduce this vulnerability, send a GET request to the '/api/icon/getDynamicIcon' endpoint with a 'content' parameter that includes a namespace-prefixed script element. The 'SanitizeSVG' function will fail to remove the script tag due to the prefix, and the SVG will be rendered with the script intact. When the SVG is opened in a browser, the script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to SiYuan version 3.6.2, which addresses this vulnerability by properly sanitizing namespace-prefixed element names.