Description

SiYuan has incomplete fix for CVE-2026-33066: XSS

Summary

The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block <iframe> tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context.

Affected Package

Ecosystem: Go

Package: github.com/siyuan-note/siyuan

Affected versions: < commit b382f50e1880

Patched versions: >= commit b382f50e1880

Details

The renderPackageREADME() function in kernel/bazaar/readme.go renders Markdown README content from bazaar (marketplace) packages into HTML. The original vulnerability allowed stored XSS through unsanitized HTML in READMEs. The fix adds luteEngine.SetSanitize(true) to enable Lute's built-in HTML sanitizer.

However, the Lute sanitizer in lute/render/sanitizer.go has a critical gap:

<iframe> is explicitly commented out of setOfElementsToSkipContent, so iframe tags pass through.

The srcdoc attribute is checked against URL-prefix blocklists (javascript:, data:text/html), but srcdoc contains raw HTML content, not a URL. A value like <img src=x onerror=alert(1)> does not start with any blocked prefix.

The browser renders srcdoc HTML in a nested browsing context, executing embedded scripts and event handlers.

The fix correctly blocks direct <script> tags, event handler attributes, and javascript: protocol links. However:

<iframe srcdoc="<script>alert(document.domain)</script>"> passes through because iframe is not blocked and the srcdoc value is raw HTML (not a URL scheme).

<iframe srcdoc="<img src=x onerror=alert(document.cookie)>"> also passes because the event handler is inside the srcdoc string value, not a top-level tag attribute.

PoC

"""
CVE-2026-33066 - Incomplete Sanitization in SiYuan Bazaar README Rendering

Component: kernel/bazaar/readme.go :: renderPackageREADME()
Patch: https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428
"""

import re...
Show more

python3 poc.py

Steps to reproduce:

git clone https://github.com/siyuan-note/siyuan /tmp/siyuan_test

cd /tmp/siyuan_test && git checkout b382f50e1880ed996364509de5a10a72d7409428~1

python3 poc.py (or go run poc.go if Go PoC)

Expected output:

VULNERABILITY CONFIRMED
Iframe tags with srcdoc attributes bypass the Lute sanitizer, allowing embedded scripts to execute in the Electron context.

Impact

A malicious bazaar package author can include <iframe srcdoc='<script>...</script>'> in their README.md. When other users view the package in SiYuan's marketplace UI, the XSS executes in the Electron context with full application privileges, enabling data theft, local file access, and arbitrary code execution on the user's machine.

Suggested Remediation

Add iframe to the setOfElementsToSkipContent set in the Lute sanitizer.

If iframes must be preserved, strip the srcdoc attribute entirely or sanitize its HTML content recursively.

Apply a Content Security Policy (CSP) to the README rendering context.

References

Incomplete fix commit: https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428

Original CVE: CVE-2026-33066

Mitigation

Aliases

References