diff --git a/0001-CVE-2025-3155.patch b/0001-CVE-2025-3155.patch
new file mode 100644
index 0000000000000000000000000000000000000000..712c11302214ffa9b6c2e02fce0708881d582062
--- /dev/null
+++ b/0001-CVE-2025-3155.patch
@@ -0,0 +1,118 @@
+From a2f3caf8500287981331c4ff54369e9c5747cd9d Mon Sep 17 00:00:00 2001
+From: Shaun McCance <shaunm@gnome.org>
+Date: Fri, 18 Apr 2025 11:33:01 -0400
+Subject: [PATCH] Initial fix for CVE-2025-3155 from parrot409
+
+https://gitlab.gnome.org/GNOME/yelp/-/issues/221
+---
+ data/xslt/mal2html.xsl.in    |  5 +++++
+ data/xslt/man2html.xsl.in    |  2 +-
+ data/xslt/yelp-common.xsl.in |  7 +++++++
+ libyelp/yelp-transform.c     | 19 +++++++++++++++++++
+ libyelp/yelp-view.c          |  2 +-
+ 5 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/data/xslt/mal2html.xsl.in b/data/xslt/mal2html.xsl.in
+index 9e44b734..0a74da55 100644
+--- a/data/xslt/mal2html.xsl.in
++++ b/data/xslt/mal2html.xsl.in
+@@ -19,6 +19,11 @@
+ <xsl:param name="mal.link.prefix" select="'xref:'"/>
+ <xsl:param name="mal.link.extension" select="''"/>
+ 
++<xsl:template name="html.head.top.custom">
++  <xsl:param name="node" select="."/>
++  <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'nonce-{$html.csp.nonce}'; "/>
++</xsl:template>
++
+ <xsl:template name="mal.link.target.custom">
+   <xsl:param name="node" select="."/>
+   <xsl:param name="action" select="$node/@action"/>
+diff --git a/data/xslt/man2html.xsl.in b/data/xslt/man2html.xsl.in
+index 676ce3eb..56bc1f5c 100644
+--- a/data/xslt/man2html.xsl.in
++++ b/data/xslt/man2html.xsl.in
+@@ -131,7 +131,7 @@
+   the correct styling and a single character which we measure the
+   width of and update each sheet as required.
+ -->
+-<script type="text/javascript" language="javascript">
++<script type="text/javascript" language="javascript" nonce="{$html.csp.nonce}">
+ <xsl:text>
+ $(document).ready (function () {
+   var div = document.getElementById("invisible-char");
+diff --git a/data/xslt/yelp-common.xsl.in b/data/xslt/yelp-common.xsl.in
+index 0c1ec9bb..421fc02d 100644
+--- a/data/xslt/yelp-common.xsl.in
++++ b/data/xslt/yelp-common.xsl.in
+@@ -15,6 +15,13 @@
+ <xsl:param name="html.syntax.highlight" select="true()"/>
+ <xsl:param name="html.js.root" select="'file://@XSL_JSDIR@/'"/>
+ 
++<xsl:param name="html.csp.nonce" select="yelp:generate_nonce()"/>
++
++<xsl:template name="html.head.top.custom">
++  <xsl:param name="node" select="."/>
++  <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'unsafe-inline'; "/>
++</xsl:template>
++
+ <xsl:template name="html.js.mathjax">
+   <xsl:param name="node" select="."/>
+   <xsl:if test="$node//mml:*[1]">
+diff --git a/libyelp/yelp-transform.c b/libyelp/yelp-transform.c
+index e74eb463..2ce1d05b 100644
+--- a/libyelp/yelp-transform.c
++++ b/libyelp/yelp-transform.c
+@@ -71,6 +71,8 @@ static void      xslt_yelp_cache            (xsltTransformContextPtr  ctxt,
+                                              xsltStylePreCompPtr      comp);
+ static void      xslt_yelp_aux              (xmlXPathParserContextPtr ctxt,
+                                              int                      nargs);
++static void      xslt_yelp_generate_nonce   (xmlXPathParserContextPtr ctxt,
++                                             int                      nargs);
+ 
+ enum {
+     PROP_0,
+@@ -412,6 +414,10 @@ transform_run (YelpTransform *transform)
+                              BAD_CAST "input",
+                              BAD_CAST YELP_NAMESPACE,
+                              (xmlXPathFunction) xslt_yelp_aux);
++    xsltRegisterExtFunction (priv->context,
++                         BAD_CAST "generate_nonce",
++                         BAD_CAST YELP_NAMESPACE,
++                         (xmlXPathFunction) xslt_yelp_generate_nonce);
+ 
+     priv->output = xsltApplyStylesheetUser (priv->stylesheet,
+                                             priv->input,
+@@ -607,3 +613,16 @@ xslt_yelp_aux (xmlXPathParserContextPtr ctxt, int nargs)
+     xsltExtensionInstructionResultRegister (tctxt, ret);
+     valuePush (ctxt, ret);
+ }
++
++static void
++xslt_yelp_generate_nonce (xmlXPathParserContextPtr ctxt, int nargs)
++{
++    GRand* rand;
++    gchar* nonce_str;
++
++    rand = g_rand_new ();
++    nonce_str = g_strdup_printf("%08x%08x", g_rand_int (rand), g_rand_int (rand));
++    xmlXPathReturnString (ctxt, xmlStrdup ((xmlChar *) nonce_str));
++    g_free(nonce_str);
++    g_rand_free(rand);
++}
+diff --git a/libyelp/yelp-view.c b/libyelp/yelp-view.c
+index 32ae131e..d544c5df 100644
+--- a/libyelp/yelp-view.c
++++ b/libyelp/yelp-view.c
+@@ -971,7 +971,7 @@ view_external_uri (YelpView *view,
+ 
+     if (app_info)
+       {
+-        if (!strstr (g_app_info_get_executable (app_info), "yelp"))
++        if (!strstr (g_app_info_get_executable (app_info), "yelp") && !strstr (struri, "%3C") && !strstr (struri, "%3E"))
+           {
+             GList l;
+ 
+-- 
+GitLab
+
diff --git a/yelp.spec b/yelp.spec
index 41bff0fd2f5c805fcf584d6167eeb5131641ee99..2b8a78302ba4a9c6c8d885edb2cbf403fb4c245f 100644
--- a/yelp.spec
+++ b/yelp.spec
@@ -1,4 +1,4 @@
-%define anolis_release 3
+%define anolis_release 4
 %global libhandy_version 1.5.0
 
 Name:          yelp
@@ -10,6 +10,10 @@ Summary:       Help browser for the GNOME desktop
 License:       LGPLv2+ and ASL 2.0 and GPLv2+
 URL:           https://wiki.gnome.org/Apps/Yelp
 Source:        https://download.gnome.org/sources/%{name}/42/%{name}-%{version}.tar.xz
+ExcludeArch:   loongarch64
+
+# https://gitlab.gnome.org/GNOME/yelp/-/commit/a2f3caf8500287981331c4ff54369e9c5747cd9d
+Patch0001:     0001-CVE-2025-3155.patch
 
 BuildRequires: pkgconfig(gio-2.0) >= 2.67.4
 BuildRequires: pkgconfig(gio-unix-2.0)
@@ -104,6 +108,9 @@ This package contains header files for the libraries in the yelp-libs package.
 
 
 %changelog
+* Fri Jun 13 2025 wh02252983 <wh02252983@alibaba-inc.com> - 42.2-4
+- add patch to fix CVE-2025-3155
+
 * Thu Apr 06 2023 Chunmei Xu <xuchunmei@linux.alibaba.com> - 42.2-3
 - fix build args