feat(react/settings): port HTML import tags

2025-11-02 11:26:15 +01:00 · 2025-08-18 18:07:58 +03:00
parent c5a7f84250
commit 95af901808
6 changed files with 146 additions and 279 deletions
--- a/apps/server/src/services/html_sanitizer.ts
+++ b/apps/server/src/services/html_sanitizer.ts
@@ -1,6 +1,7 @@
 import sanitizeHtml from "sanitize-html";
 import { sanitizeUrl } from "@braintree/sanitize-url";
 import optionService from "./options.js";
+import { SANITIZER_DEFAULT_ALLOWED_TAGS } from "@triliumnext/commons";

 // Be consistent with `ALLOWED_PROTOCOLS` in `src\public\app\services\link.js`
 // TODO: Deduplicate with client once we can.
@@ -12,105 +13,6 @@ export const ALLOWED_PROTOCOLS = [
    'mid'
 ];

-// Default list of allowed HTML tags
-export const DEFAULT_ALLOWED_TAGS = [
-    "h1",
-    "h2",
-    "h3",
-    "h4",
-    "h5",
-    "h6",
-    "blockquote",
-    "p",
-    "a",
-    "ul",
-    "ol",
-    "li",
-    "b",
-    "i",
-    "strong",
-    "em",
-    "strike",
-    "s",
-    "del",
-    "abbr",
-    "code",
-    "hr",
-    "br",
-    "div",
-    "table",
-    "thead",
-    "caption",
-    "tbody",
-    "tfoot",
-    "tr",
-    "th",
-    "td",
-    "pre",
-    "section",
-    "img",
-    "figure",
-    "figcaption",
-    "span",
-    "label",
-    "input",
-    "details",
-    "summary",
-    "address",
-    "aside",
-    "footer",
-    "header",
-    "hgroup",
-    "main",
-    "nav",
-    "dl",
-    "dt",
-    "menu",
-    "bdi",
-    "bdo",
-    "dfn",
-    "kbd",
-    "mark",
-    "q",
-    "time",
-    "var",
-    "wbr",
-    "area",
-    "map",
-    "track",
-    "video",
-    "audio",
-    "picture",
-    "del",
-    "ins",
-    "en-media", // for ENEX import
-    // Additional tags (https://github.com/TriliumNext/Trilium/issues/567)
-    "acronym",
-    "article",
-    "big",
-    "button",
-    "cite",
-    "col",
-    "colgroup",
-    "data",
-    "dd",
-    "fieldset",
-    "form",
-    "legend",
-    "meter",
-    "noscript",
-    "option",
-    "progress",
-    "rp",
-    "samp",
-    "small",
-    "sub",
-    "sup",
-    "template",
-    "textarea",
-    "tt"
-] as const;
-
 // intended mainly as protection against XSS via import
 // secondarily, it (partly) protects against "CSS takeover"
 // sanitize also note titles, label values etc. - there are so many usages which make it difficult
@@ -138,7 +40,7 @@ function sanitize(dirtyHtml: string) {
        allowedTags = JSON.parse(optionService.getOption("allowedHtmlTags"));
    } catch (e) {
        // Fallback to default list if option doesn't exist or is invalid
-        allowedTags = DEFAULT_ALLOWED_TAGS;
+        allowedTags = SANITIZER_DEFAULT_ALLOWED_TAGS;
    }

    const colorRegex = [/^#(0x)?[0-9a-f]+$/i, /^rgb\(\s*(\d{1,3})\s*,\s*(\d{1,3})\s*,\s*(\d{1,3})\s*\)$/, /^hsl\(\s*(\d{1,3})\s*,\s*(\d{1,3})%\s*,\s*(\d{1,3})%\s*\)$/];
--- a/apps/server/src/services/options_init.ts
+++ b/apps/server/src/services/options_init.ts
@@ -4,8 +4,7 @@ import { randomSecureToken, isWindows } from "./utils.js";
 import log from "./log.js";
 import dateUtils from "./date_utils.js";
 import keyboardActions from "./keyboard_actions.js";
-import type { KeyboardShortcutWithRequiredActionName, OptionMap, OptionNames } from "@triliumnext/commons";
-import { DEFAULT_ALLOWED_TAGS } from "./html_sanitizer.js";
+import { SANITIZER_DEFAULT_ALLOWED_TAGS, type KeyboardShortcutWithRequiredActionName, type OptionMap, type OptionNames } from "@triliumnext/commons";

 function initDocumentOptions() {
    optionService.createOption("documentId", randomSecureToken(16), false);
@@ -187,7 +186,7 @@ const defaultOptions: DefaultOption[] = [
    { name: "backgroundEffects", value: "true", isSynced: false },
    {
        name: "allowedHtmlTags",
-        value: JSON.stringify(DEFAULT_ALLOWED_TAGS),
+        value: JSON.stringify(SANITIZER_DEFAULT_ALLOWED_TAGS),
        isSynced: true
    },