Dockery/Trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-10-31 02:16:05 +01:00
Code Issues Packages Projects Releases Activity

refactor: one authoritave source for allowed html tags

Browse Source
This commit is contained in:
maphew
2024-11-18 19:52:31 -07:00
parent 8574d2b143
commit cc98a16246
2 changed files with 23 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/public/app/widgets/type_widgets/options/other/html_import_tags.js
View File

@@ -1,5 +1,6 @@
import OptionsWidget from "../options_widget.js"; import OptionsWidget from "../options_widget.js";
import { t } from "../../../../services/i18n.js"; import { t } from "../../../../services/i18n.js";
import { DEFAULT_ALLOWED_TAGS } from "../../../../services/html_sanitizer.js";
const TPL = ` const TPL = `
<div class="options-section"> <div class="options-section">
@@ -21,19 +22,6 @@ const TPL = `
</div> </div>
</div>`; </div>`;
const defaultTags = [
'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div',
'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img',
'figure', 'figcaption', 'span', 'label', 'input', 'details', 'summary', 'address', 'aside', 'footer',
'header', 'hgroup', 'main', 'nav', 'dl', 'dt', 'menu', 'bdi', 'bdo', 'dfn', 'kbd', 'mark', 'q', 'time',
'var', 'wbr', 'area', 'map', 'track', 'video', 'audio', 'picture', 'del', 'ins',
'en-media',
'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd',
'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp',
'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt'
];
export default class HtmlImportTagsOptions extends OptionsWidget { export default class HtmlImportTagsOptions extends OptionsWidget {
doRender() { doRender() {
this.$widget = $(TPL); this.$widget = $(TPL);
@@ -56,13 +44,13 @@ export default class HtmlImportTagsOptions extends OptionsWidget {
this.$allowedTags.val(tags.join(' ')); this.$allowedTags.val(tags.join(' '));
} else { } else {
// If no tags are set, show the defaults // If no tags are set, show the defaults
this.$allowedTags.val(defaultTags.join(' ')); this.$allowedTags.val(DEFAULT_ALLOWED_TAGS.join(' '));
} }
} }
catch (e) { catch (e) {
console.error('Could not load HTML tags:', e); console.error('Could not load HTML tags:', e);
// On error, show the defaults // On error, show the defaults
this.$allowedTags.val(defaultTags.join(' ')); this.$allowedTags.val(DEFAULT_ALLOWED_TAGS.join(' '));
} }
} }
@@ -76,7 +64,7 @@ export default class HtmlImportTagsOptions extends OptionsWidget {
} }
async resetToDefault() { async resetToDefault() {
this.$allowedTags.val(defaultTags.join('\n')); // Use actual newline this.$allowedTags.val(DEFAULT_ALLOWED_TAGS.join('\n')); // Use actual newline
await this.saveTags(); await this.saveTags();
} }
} }

29
src/services/html_sanitizer.ts
View File

@@ -2,6 +2,21 @@ import sanitizeHtml from "sanitize-html";
import sanitizeUrl from "@braintree/sanitize-url"; import sanitizeUrl from "@braintree/sanitize-url";
import optionService from "./options.js"; import optionService from "./options.js";
// Default list of allowed HTML tags
export const DEFAULT_ALLOWED_TAGS = [
'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div',
'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img',
'figure', 'figcaption', 'span', 'label', 'input', 'details', 'summary', 'address', 'aside', 'footer',
'header', 'hgroup', 'main', 'nav', 'dl', 'dt', 'menu', 'bdi', 'bdo', 'dfn', 'kbd', 'mark', 'q', 'time',
'var', 'wbr', 'area', 'map', 'track', 'video', 'audio', 'picture', 'del', 'ins',
'en-media', // for ENEX import
// Additional tags (https://github.com/TriliumNext/Notes/issues/567)
'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd',
'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp',
'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt'
] as const;
// intended mainly as protection against XSS via import // intended mainly as protection against XSS via import
// secondarily, it (partly) protects against "CSS takeover" // secondarily, it (partly) protects against "CSS takeover"
// sanitize also note titles, label values etc. - there are so many usages which make it difficult // sanitize also note titles, label values etc. - there are so many usages which make it difficult
@@ -30,19 +45,7 @@ function sanitize(dirtyHtml: string) {
allowedTags = JSON.parse(optionService.getOption('allowedHtmlTags')); allowedTags = JSON.parse(optionService.getOption('allowedHtmlTags'));
} catch (e) { } catch (e) {
// Fallback to default list if option doesn't exist or is invalid // Fallback to default list if option doesn't exist or is invalid
allowedTags = [ allowedTags = DEFAULT_ALLOWED_TAGS;
'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div',
'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img',
'figure', 'figcaption', 'span', 'label', 'input', 'details', 'summary', 'address', 'aside', 'footer',
'header', 'hgroup', 'main', 'nav', 'dl', 'dt', 'menu', 'bdi', 'bdo', 'dfn', 'kbd', 'mark', 'q', 'time',
'var', 'wbr', 'area', 'map', 'track', 'video', 'audio', 'picture', 'del', 'ins',
'en-media', // for ENEX import
// Additional tags (https://github.com/TriliumNext/Notes/issues/567)
'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd',
'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp',
'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt'
];
} }
// to minimize document changes, compress H // to minimize document changes, compress H