SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
Summary Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input. Details The endpoint generates SVG images for text icons type=8. The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting...