chore(deps): fix pnpm lock

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

apps/client/src/services/doc_renderer.spec.ts

@@ -0,0 +1,30 @@
+import { describe, expect, it } from "vitest";
+
+import { isValidDocName } from "./doc_renderer.js";
+
+describe("isValidDocName", () => {
+    it("accepts valid docNames", () => {
+        expect(isValidDocName("launchbar_intro")).toBe(true);
+        expect(isValidDocName("User Guide/Quick Start")).toBe(true);
+        expect(isValidDocName("User Guide/User Guide/Quick Start")).toBe(true);
+        expect(isValidDocName("Quick Start Guide")).toBe(true);
+        expect(isValidDocName("quick_start_guide")).toBe(true);
+        expect(isValidDocName("quick-start-guide")).toBe(true);
+    });
+
+    it("rejects path traversal attacks", () => {
+        expect(isValidDocName("..")).toBe(false);
+        expect(isValidDocName("../etc/passwd")).toBe(false);
+        expect(isValidDocName("foo/../bar")).toBe(false);
+        expect(isValidDocName("../../../../api/notes/_malicious/open")).toBe(false);
+        expect(isValidDocName("..\\etc\\passwd")).toBe(false);
+        expect(isValidDocName("foo\\bar")).toBe(false);
+    });
+
+    it("rejects URL manipulation attacks", () => {
+        expect(isValidDocName("../../../../api/notes/_malicious/open?x=")).toBe(false);
+        expect(isValidDocName("foo#bar")).toBe(false);
+        expect(isValidDocName("%2e%2e")).toBe(false);
+        expect(isValidDocName("%2e%2e%2f%2e%2e%2fapi")).toBe(false);
+    });
+});

apps/client/src/services/doc_renderer.ts

@@ -3,22 +3,39 @@ import { applyReferenceLinks } from "../widgets/type_widgets/text/read_only_help
 import { getCurrentLanguage } from "./i18n.js";
 import { formatCodeBlocks } from "./syntax_highlight.js";
 
+/**
+ * Validates a docName to prevent path traversal attacks.
+ * Allows forward slashes for subdirectories (e.g., "User Guide/Quick Start")
+ * but blocks traversal sequences and URL manipulation characters.
+ */
+export function isValidDocName(docName: string): boolean {
+    // Allow alphanumeric characters, spaces, underscores, hyphens, and forward slashes.
+    const validDocNameRegex = /^[a-zA-Z0-9_/\- ]+$/;
+    return validDocNameRegex.test(docName);
+}
+
 export default function renderDoc(note: FNote) {
     return new Promise<JQuery<HTMLElement>>((resolve) => {
-        let docName = note.getLabelValue("docName");
+        const docName = note.getLabelValue("docName");
         const $content = $("<div>");
 
-        if (docName) {
-            // find doc based on language
-            const url = getUrl(docName, getCurrentLanguage());
+        // find doc based on language
+        const url = getUrl(docName, getCurrentLanguage());
+
+        if (url) {
             $content.load(url, async (response, status) => {
                 // fallback to english doc if no translation available
                 if (status === "error") {
                     const fallbackUrl = getUrl(docName, "en");
-                    $content.load(fallbackUrl, async () => {
-                        await processContent(fallbackUrl, $content)
+
+                    if (fallbackUrl) {
+                        $content.load(fallbackUrl, async () => {
+                            await processContent(fallbackUrl, $content);
+                            resolve($content);
+                        });
+                    } else {
                         resolve($content);
-                    });
+                    }
                     return;
                 }
 
@@ -28,8 +45,6 @@ export default function renderDoc(note: FNote) {
         } else {
             resolve($content);
         }
-
-        return $content;
     });
 }
 
@@ -39,7 +54,7 @@ async function processContent(url: string, $content: JQuery<HTMLElement>) {
     // Images are relative to the docnote but that will not work when rendered in the application since the path breaks.
     $content.find("img").each((i, el) => {
         const $img = $(el);
-        $img.attr("src", dir + "/" + $img.attr("src"));
+        $img.attr("src", `${dir}/${$img.attr("src")}`);
     });
 
     formatCodeBlocks($content);
@@ -48,10 +63,17 @@ async function processContent(url: string, $content: JQuery<HTMLElement>) {
     await applyReferenceLinks($content[0]);
 }
 
-function getUrl(docNameValue: string, language: string) {
+function getUrl(docNameValue: string | null, language: string) {
+    if (!docNameValue) return;
+
+    if (!isValidDocName(docNameValue)) {
+        console.error(`Invalid docName: ${docNameValue}`);
+        return null;
+    }
+
     // Cannot have spaces in the URL due to how JQuery.load works.
     docNameValue = docNameValue.replaceAll(" ", "%20");
 
-    const basePath = window.glob.isDev ? window.glob.assetPath + "/.." : window.glob.assetPath;
+    const basePath = window.glob.isDev ? `${window.glob.assetPath  }/..` : window.glob.assetPath;
     return `${basePath}/doc_notes/${language}/${docNameValue}.html`;
 }

apps/client/src/widgets/Toast.tsx

@@ -5,7 +5,6 @@ import { useEffect } from "preact/hooks";
 
 import { removeToastFromStore, ToastOptionsWithRequiredId, toasts } from "../services/toast";
 import Icon from "./react/Icon";
-import { RawHtmlBlock } from "./react/RawHtml";
 import Button from "./react/Button";
 
 export default function ToastContainer() {
@@ -54,7 +53,7 @@ function Toast({ id, title, timeout, progress, message, icon, buttons }: ToastOp
                 <div class="toast-icon">{toastIcon}</div>
             )}
 
-            <RawHtmlBlock className="toast-body" html={message} />
+            <div className="toast-body">{message}</div>
 
             {!title && <div class="toast-header">{closeButton}</div>}
 

apps/desktop/electron-forge/forge.config.ts

@@ -1,4 +1,5 @@
 import type { ForgeConfig } from "@electron-forge/shared-types";
+import { FuseV1Options, FuseVersion } from "@electron/fuses";
 import { LOCALES } from "@triliumnext/commons";
 import { existsSync } from "fs";
 import fs from "fs-extra";
@@ -166,6 +167,17 @@ const config: ForgeConfig = {
         {
             name: "@electron-forge/plugin-auto-unpack-natives",
             config: {}
+        },
+        {
+            name: "@electron-forge/plugin-fuses",
+            config: {
+                version: FuseVersion.V1,
+                [FuseV1Options.RunAsNode]: false,
+                [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
+                [FuseV1Options.EnableNodeCliInspectArguments]: false,
+                [FuseV1Options.EnableCookieEncryption]: true,
+                [FuseV1Options.OnlyLoadAppFromAsar]: true
+            }
         }
     ],
     hooks: {

apps/desktop/package.json

@@ -27,15 +27,10 @@
     "electron-debug": "4.1.0",
     "electron-dl": "4.0.0",
     "electron-squirrel-startup": "1.0.1",
-    "jquery.fancytree": "2.38.5",
-    "jquery-hotkeys": "0.2.2"
+    "jquery-hotkeys": "0.2.2",
+    "jquery.fancytree": "2.38.5"
   },
   "devDependencies": {
-    "@types/electron-squirrel-startup": "1.0.2",
-    "@triliumnext/commons": "workspace:*",
-    "@triliumnext/server": "workspace:*",
-    "copy-webpack-plugin": "13.0.1",
-    "electron": "40.6.1",
     "@electron-forge/cli": "7.11.1",
     "@electron-forge/maker-deb": "7.11.1",
     "@electron-forge/maker-dmg": "7.11.1",
@@ -44,6 +39,13 @@
     "@electron-forge/maker-squirrel": "7.11.1",
     "@electron-forge/maker-zip": "7.11.1",
     "@electron-forge/plugin-auto-unpack-natives": "7.11.1",
+    "@electron-forge/plugin-fuses": "7.11.1",
+    "@electron/fuses": "1.0.0",
+    "@triliumnext/commons": "workspace:*",
+    "@triliumnext/server": "workspace:*",
+    "@types/electron-squirrel-startup": "1.0.2",
+    "copy-webpack-plugin": "13.0.1",
+    "electron": "40.6.1",
     "prebuild-install": "7.1.3"
   }
 }

apps/server/src/etapi/notes.ts

@@ -66,6 +66,11 @@ function register(router: Router) {
         eu.validateAndPatch(_params, req.body, ALLOWED_PROPERTIES_FOR_CREATE_NOTE);
         const params = _params as NoteParams;
 
+        // Validate MIME type for image notes
+        if (params.type === "image" && params.mime && !params.mime.toLowerCase().startsWith("image/")) {
+            throw new eu.EtapiError(400, "INVALID_MIME_FOR_IMAGE", `MIME type '${params.mime}' is not allowed for image notes. MIME must start with 'image/'.`);
+        }
+
         try {
             const resp = noteService.createNewNote(params);
 
@@ -93,6 +98,14 @@ function register(router: Router) {
             throw new eu.EtapiError(400, "NOTE_IS_PROTECTED", `Note '${req.params.noteId}' is protected and cannot be modified through ETAPI.`);
         }
 
+        // Validate MIME type for image notes (check both current and new type/mime)
+        const effectiveType = req.body.type ?? note.type;
+        const effectiveMime = req.body.mime ?? note.mime;
+        const normalizedEffectiveMime = typeof effectiveMime === "string" ? effectiveMime.toLowerCase() : effectiveMime;
+        if (effectiveType === "image" && normalizedEffectiveMime && !normalizedEffectiveMime.startsWith("image/")) {
+            throw new eu.EtapiError(400, "INVALID_MIME_FOR_IMAGE", `MIME type '${effectiveMime}' is not allowed for image notes. MIME must start with 'image/'.`);
+        }
+
         noteService.saveRevisionIfNeeded(note);
         eu.validateAndPatch(note, req.body, ALLOWED_PROPERTIES_FOR_PATCH);
         note.save();

apps/server/src/routes/api/files.ts

@@ -232,6 +232,10 @@ function uploadModifiedFileToAttachment(req: Request) {
     const { attachmentId } = req.params;
     const { filePath } = req.body;
 
+    if (!createdTemporaryFiles.has(filePath)) {
+        throw new ValidationError(`File '${filePath}' is not a temporary file.`);
+    }
+
     const attachment = becca.getAttachmentOrThrow(attachmentId);
 
     log.info(`Updating attachment '${attachmentId}' with content from '${filePath}'`);

apps/server/src/routes/api/image.ts

@@ -1,12 +1,14 @@
-"use strict";
 
-import imageService from "../../services/image.js";
-import becca from "../../becca/becca.js";
-import fs from "fs";
+
 import type { Request, Response } from "express";
+import fs from "fs";
+
+import becca from "../../becca/becca.js";
 import type BNote from "../../becca/entities/bnote.js";
 import type BRevision from "../../becca/entities/brevision.js";
+import imageService from "../../services/image.js";
 import { RESOURCE_DIR } from "../../services/resource_dir.js";
+import { sanitizeSvg } from "../../services/utils.js";
 
 function returnImageFromNote(req: Request, res: Response) {
     const image = becca.getNote(req.params.noteId);
@@ -37,28 +39,33 @@ function returnImageInt(image: BNote | BRevision | null, res: Response) {
     } else {
         res.set("Content-Type", image.mime);
         res.set("Cache-Control", "no-cache, no-store, must-revalidate");
-        res.send(image.getContent());
+
+        if (image.mime === "image/svg+xml") {
+            sendSanitizedSvg(res, image.getContent());
+        } else {
+            res.send(image.getContent());
+        }
     }
 }
 
 export function renderSvgAttachment(image: BNote | BRevision, res: Response, attachmentName: string) {
-    let svg: string | Buffer = `<svg xmlns="http://www.w3.org/2000/svg"></svg>`;
+    let svgContent: string | Buffer = `<svg xmlns="http://www.w3.org/2000/svg"></svg>`;
     const attachment = image.getAttachmentByTitle(attachmentName);
 
     if (attachment) {
-        svg = attachment.getContent();
+        svgContent = attachment.getContent();
     } else {
         // backwards compatibility, before attachments, the SVG was stored in the main note content as a separate key
         const contentSvg = image.getJsonContentSafely()?.svg;
 
         if (contentSvg) {
-            svg = contentSvg;
+            svgContent = contentSvg;
         }
     }
 
     res.set("Content-Type", "image/svg+xml");
     res.set("Cache-Control", "no-cache, no-store, must-revalidate");
-    res.send(svg);
+    sendSanitizedSvg(res, svgContent);
 }
 
 function returnAttachedImage(req: Request, res: Response) {
@@ -75,7 +82,12 @@ function returnAttachedImage(req: Request, res: Response) {
 
     res.set("Content-Type", attachment.mime);
     res.set("Cache-Control", "no-cache, no-store, must-revalidate");
-    res.send(attachment.getContent());
+
+    if (attachment.mime === "image/svg+xml") {
+        sendSanitizedSvg(res, attachment.getContent());
+    } else {
+        res.send(attachment.getContent());
+    }
 }
 
 function updateImage(req: Request) {
@@ -116,3 +128,9 @@ export default {
     returnAttachedImage,
     updateImage
 };
+
+function sendSanitizedSvg(res: Response, content: string | Buffer) {
+    const svgString = typeof content === "string" ? content : content.toString("utf-8");
+    res.set("Content-Security-Policy", "script-src 'none'");
+    res.send(sanitizeSvg(svgString));
+}

apps/server/src/services/import/zip.ts

@@ -51,8 +51,7 @@ async function importZip(taskContext: TaskContext<"importNotes">, fileBuffer: Bu
             return "empty_note_id";
         }
 
-        if (origNoteId === "root" || origNoteId.startsWith("_") || opts?.preserveIds) {
-            // these "named" noteIds don't differ between Trilium instances
+        if (origNoteId === "root" || opts?.preserveIds) {
             return origNoteId;
         }
 

apps/server/src/services/open_id.ts

@@ -1,14 +1,14 @@
 import type { NextFunction, Request, Response } from "express";
-import openIDEncryption from "./encryption/open_id_encryption.js";
-import sqlInit from "./sql_init.js";
-import options from "./options.js";
 import type { Session } from "express-openid-connect";
-import sql from "./sql.js";
-import config from "./config.js";
 
+import config from "./config.js";
+import openIDEncryption from "./encryption/open_id_encryption.js";
+import options from "./options.js";
+import sql from "./sql.js";
+import sqlInit from "./sql_init.js";
 
 function checkOpenIDConfig() {
-    const missingVars: string[] = []
+    const missingVars: string[] = [];
     if (config.MultiFactorAuthentication.oauthBaseUrl === "") {
         missingVars.push("oauthBaseUrl");
     }
@@ -27,7 +27,7 @@ function isOpenIDEnabled() {
 
 function isUserSaved() {
     const data = sql.getValue<string>("SELECT isSetup FROM user_data;");
-    return data === "true" ? true : false;
+    return data === "true";
 }
 
 function getUsername() {
@@ -59,34 +59,31 @@ function getOAuthStatus() {
     };
 }
 
-function isTokenValid(req: Request, res: Response, next: NextFunction) {
+async function isTokenValid(req: Request, res: Response, next: NextFunction) {
     const userStatus = openIDEncryption.isSubjectIdentifierSaved();
 
     if (req.oidc !== undefined) {
-        const result = req.oidc
-            .fetchUserInfo()
-            .then((result) => {
-                return {
-                    success: true,
-                    message: "Token is valid",
-                    user: userStatus,
-                };
-            })
-            .catch((result) => {
-                return {
-                    success: false,
-                    message: "Token is not valid",
-                    user: userStatus,
-                };
-            });
-        return result;
-    } else {
-        return {
-            success: false,
-            message: "Token not set up",
-            user: userStatus,
-        };
+        try {
+            await req.oidc.fetchUserInfo();
+            return {
+                success: true,
+                message: "Token is valid",
+                user: userStatus,
+            };
+        } catch {
+            return {
+                success: false,
+                message: "Token is not valid",
+                user: userStatus,
+            };
+        }
     }
+
+    return {
+        success: false,
+        message: "Token not set up",
+        user: userStatus,
+    };
 }
 
 function getSSOIssuerName() {
@@ -121,11 +118,10 @@ function generateOAuthConfig() {
             scope: "openid profile email",
             access_type: "offline",
             prompt: "consent",
-            state: "random_state_" + Math.random().toString(36).substring(2)
         },
         routes: authRoutes,
         idpLogout: true,
-        logoutParams: logoutParams,
+        logoutParams,
         afterCallback: async (req: Request, res: Response, session: Session) => {
             if (!sqlInit.isDbInitialized()) return session;
 

apps/server/src/services/utils.spec.ts

@@ -705,3 +705,110 @@ describe("#slugify", () => {
         expect(result).toBe(expectedSlug);
     });
 });
+
+describe("#sanitizeSvg", () => {
+    it("should remove script elements", () => {
+        const maliciousSvg = '<svg><script>alert("XSS")</script><rect width="100" height="100"/></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><rect width="100" height="100"/></svg>');
+    });
+
+    it("should remove script elements with attributes", () => {
+        const maliciousSvg = '<svg><script type="text/javascript">alert("XSS")</script></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg></svg>');
+    });
+
+    it("should remove multiline script elements", () => {
+        const maliciousSvg = `<svg><script>
+            var x = 1;
+            alert(x);
+        </script></svg>`;
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg></svg>');
+    });
+
+    it("should remove onclick event handlers with double quotes", () => {
+        const maliciousSvg = '<svg><rect onclick="doEvil()" width="100"/></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><rect width="100"/></svg>');
+    });
+
+    it("should remove onclick event handlers with single quotes", () => {
+        const maliciousSvg = "<svg><rect onclick='doEvil()' width=\"100\"/></svg>";
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><rect width="100"/></svg>');
+    });
+
+    it("should remove onload event handlers", () => {
+        const maliciousSvg = '<svg onload="doEvil()"><rect width="100"/></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><rect width="100"/></svg>');
+    });
+
+    it("should remove onerror event handlers", () => {
+        const maliciousSvg = '<svg><image onerror="alert(1)" href="invalid.jpg"/></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><image href="invalid.jpg"/></svg>');
+    });
+
+    it("should remove onmouseover event handlers", () => {
+        const maliciousSvg = '<svg><rect onmouseover="alert(1)" width="100"/></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><rect width="100"/></svg>');
+    });
+
+    it("should remove event handlers without quotes", () => {
+        const maliciousSvg = '<svg><rect onclick=alert(1) width="100"/></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><rect width="100"/></svg>');
+    });
+
+    it("should replace javascript: URLs in href with #", () => {
+        const maliciousSvg = '<svg><a href="javascript:alert(1)"><text>Click me</text></a></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><a href="#"><text>Click me</text></a></svg>');
+    });
+
+    it("should replace javascript: URLs in xlink:href with #", () => {
+        const maliciousSvg = '<svg><a xlink:href="javascript:alert(1)"><text>Click me</text></a></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><a xlink:href="#"><text>Click me</text></a></svg>');
+    });
+
+    it("should preserve valid SVG content", () => {
+        const validSvg = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><rect x="10" y="10" width="80" height="80" fill="blue"/><circle cx="50" cy="50" r="30" fill="red"/></svg>';
+        const result = utils.sanitizeSvg(validSvg);
+        expect(result).toBe(validSvg);
+    });
+
+    it("should preserve valid href URLs", () => {
+        const validSvg = '<svg><a href="https://example.com"><text>Link</text></a></svg>';
+        const result = utils.sanitizeSvg(validSvg);
+        expect(result).toBe(validSvg);
+    });
+
+    it("should handle multiple malicious elements", () => {
+        const maliciousSvg = '<svg onload="evil()"><script>evil()</script><rect onclick="bad()" width="100"/><a href="javascript:attack()">link</a></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><rect width="100"/><a href="#">link</a></svg>');
+    });
+
+    it("should handle empty SVG", () => {
+        const emptySvg = '<svg></svg>';
+        const result = utils.sanitizeSvg(emptySvg);
+        expect(result).toBe('<svg></svg>');
+    });
+
+    it("should be case insensitive for script tags", () => {
+        const maliciousSvg = '<svg><SCRIPT>alert(1)</SCRIPT><Script>alert(2)</Script></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg></svg>');
+    });
+
+    it("should be case insensitive for event handlers", () => {
+        const maliciousSvg = '<svg><rect ONCLICK="alert(1)" width="100"/></svg>';
+        const result = utils.sanitizeSvg(maliciousSvg);
+        expect(result).toBe('<svg><rect width="100"/></svg>');
+    });
+});

apps/server/src/services/utils.ts

@@ -119,6 +119,22 @@ export function sanitizeSqlIdentifier(str: string) {
     return str.replace(/[^A-Za-z0-9_]/g, "");
 }
 
+/**
+ * Sanitize SVG to remove potentially dangerous elements and attributes.
+ * This prevents XSS via script injection in SVG content.
+ */
+export function sanitizeSvg(svg: string): string {
+    return svg
+        // Remove script elements
+        .replace(/<script[\s\S]*?<\/script>/gi, '')
+        // Remove on* event handlers (onclick, onload, onerror, etc.)
+        .replace(/\s+on\w+\s*=\s*["'][^"']*["']/gi, '')
+        .replace(/\s+on\w+\s*=\s*[^\s>]+/gi, '')
+        // Remove javascript: URLs
+        .replace(/href\s*=\s*["']javascript:[^"']*["']/gi, 'href="#"')
+        .replace(/xlink:href\s*=\s*["']javascript:[^"']*["']/gi, 'xlink:href="#"');
+}
+
 export const escapeHtml = escape;
 
 export const unescapeHtml = unescape;
@@ -556,6 +572,7 @@ export default {
     replaceAll,
     safeExtractMessageAndStackFromError,
     sanitizeSqlIdentifier,
+    sanitizeSvg,
     stripTags,
     slugify,
     timeLimit,

apps/server/src/share/routes.ts

@@ -9,7 +9,7 @@ import SearchContext from "../services/search/search_context.js";
 import type SNote from "./shaca/entities/snote.js";
 import type SAttachment from "./shaca/entities/sattachment.js";
 import { getDefaultTemplatePath, renderNoteContent } from "./content_renderer.js";
-import utils from "../services/utils.js";
+import utils, { sanitizeSvg } from "../services/utils.js";
 
 function addNoIndexHeader(note: SNote, res: Response) {
     if (note.isLabelTruthy("shareDisallowRobotIndexing")) {
@@ -102,9 +102,10 @@ function renderImageAttachment(image: SNote, res: Response, attachmentName: stri
         }
     }
 
-    const svg = svgString;
+    const svg = sanitizeSvg(svgString);
     res.set("Content-Type", "image/svg+xml");
     res.set("Cache-Control", "no-cache, no-store, must-revalidate");
+    res.set("Content-Security-Policy", "script-src 'none'");
     res.send(svg);
 }
 

packages/ckeditor5-mermaid/src/mermaidediting.ts

@@ -183,7 +183,7 @@ export default class MermaidEditing extends Plugin {
 			const mermaidSource = data.item.getAttribute( 'source' ) as string;
 			const domElement = this.toDomElement( domDocument );
 
-			domElement.innerHTML = mermaidSource;
+			domElement.textContent = mermaidSource;
 
 			window.setTimeout( () => {
 				// @todo: by the looks of it the domElement needs to be hooked to tree in order to allow for rendering.
@@ -219,7 +219,7 @@ export default class MermaidEditing extends Plugin {
 					const domPreviewWrapper = domConverter.viewToDom(child);
 
 					if ( domPreviewWrapper ) {
-						domPreviewWrapper.innerHTML = newSource;
+						domPreviewWrapper.textContent = newSource;
 						domPreviewWrapper.removeAttribute( 'data-processed' );
 
 						this._renderMermaid( domPreviewWrapper );

packages/commons/src/lib/builtin_attributes.ts

@@ -81,6 +81,7 @@ export default [
     { type: "label", name: "webViewSrc", isDangerous: true },
     { type: "label", name: "hideHighlightWidget" },
     { type: "label", name: "iconPack", isDangerous: true },
+    { type: "label", name: "docName", isDangerous: true },
 
     { type: "label", name: "printLandscape" },
     { type: "label", name: "printPageSize" },

pnpm-lock.yaml

@@ -445,6 +445,12 @@ importers:
       '@electron-forge/plugin-auto-unpack-natives':
         specifier: 7.11.1
         version: 7.11.1
+      '@electron-forge/plugin-fuses':
+        specifier: 7.11.1
+        version: 7.11.1(@electron/fuses@1.0.0)
+      '@electron/fuses':
+        specifier: 1.0.0
+        version: 1.0.0
       '@triliumnext/commons':
         specifier: workspace:*
         version: link:../../packages/commons
@@ -2345,6 +2351,12 @@ packages:
     resolution: {integrity: sha512-lKpSOV1GA3FoYiD9k05i6v4KaQVmojnRgCr7d6VL1bFp13QOtXSaAWhFI9mtSY7rGElOacX6Zt7P7rPoB8T9eQ==}
     engines: {node: '>= 16.4.0'}
 
+  '@electron-forge/plugin-fuses@7.11.1':
+    resolution: {integrity: sha512-Td517mHf+RjQAayFDM2kKb7NaGdRXrZfPbc7KOHlGbXthp5YTkFu2cCZGWokiqt1y1wsFaAodULhqBIg7vbbbw==}
+    engines: {node: '>= 16.4.0'}
+    peerDependencies:
+      '@electron/fuses': ^1.0.0
+
   '@electron-forge/publisher-base@7.11.1':
     resolution: {integrity: sha512-rXE9oMFGMtdQrixnumWYH5TTGsp99iPHZb3jI74YWq518ctCh6DlIgWlhf6ok2X0+lhWovcIb45KJucUFAQ13w==}
     engines: {node: '>= 16.4.0'}
@@ -2382,6 +2394,9 @@ packages:
     engines: {node: '>=10.12.0'}
     hasBin: true
 
+  '@electron/fuses@1.0.0':
+    resolution: {integrity: sha512-VjWIlZHEB7a93tXl+6tX2YzN+s1/mS0RM8WX4GZlMOqAzlmRfTMP6pp0MM0LtkzWZB+KQOv+zJt5Dlgdik+DUQ==}
+
   '@electron/get@2.0.3':
     resolution: {integrity: sha512-Qkzpg2s9GnVV2I2BjRksUi43U5e6+zaQMcjoJy0C+C5oxaKl+fmckGDQFtRpZpZV0NQekuZZ+tGz7EA9TVnQtQ==}
     engines: {node: '>=12'}
@@ -16058,6 +16073,8 @@ snapshots:
       '@ckeditor/ckeditor5-core': 47.4.0
       '@ckeditor/ckeditor5-upload': 47.4.0
       ckeditor5: 47.4.0
+    transitivePeerDependencies:
+      - supports-color
 
   '@ckeditor/ckeditor5-ai@47.4.0(bufferutil@4.0.9)(utf-8-validate@6.0.5)':
     dependencies:
@@ -16198,12 +16215,16 @@ snapshots:
       '@ckeditor/ckeditor5-utils': 47.4.0
       '@ckeditor/ckeditor5-widget': 47.4.0
       es-toolkit: 1.39.5
+    transitivePeerDependencies:
+      - supports-color
 
   '@ckeditor/ckeditor5-cloud-services@47.4.0':
     dependencies:
       '@ckeditor/ckeditor5-core': 47.4.0
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
+    transitivePeerDependencies:
+      - supports-color
 
   '@ckeditor/ckeditor5-code-block@47.4.0(patch_hash=2361d8caad7d6b5bddacc3a3b4aa37dbfba260b1c1b22a450413a79c1bb1ce95)':
     dependencies:
@@ -16396,6 +16417,8 @@ snapshots:
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
       es-toolkit: 1.39.5
+    transitivePeerDependencies:
+      - supports-color
 
   '@ckeditor/ckeditor5-editor-classic@47.4.0':
     dependencies:
@@ -16405,6 +16428,8 @@ snapshots:
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
       es-toolkit: 1.39.5
+    transitivePeerDependencies:
+      - supports-color
 
   '@ckeditor/ckeditor5-editor-decoupled@47.4.0':
     dependencies:
@@ -16414,6 +16439,8 @@ snapshots:
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
       es-toolkit: 1.39.5
+    transitivePeerDependencies:
+      - supports-color
 
   '@ckeditor/ckeditor5-editor-inline@47.4.0':
     dependencies:
@@ -16447,8 +16474,6 @@ snapshots:
       '@ckeditor/ckeditor5-table': 47.4.0
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-emoji@47.4.0':
     dependencies:
@@ -16505,8 +16530,6 @@ snapshots:
       '@ckeditor/ckeditor5-ui': 47.4.0
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-export-word@47.4.0':
     dependencies:
@@ -16531,6 +16554,8 @@ snapshots:
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
       es-toolkit: 1.39.5
+    transitivePeerDependencies:
+      - supports-color
 
   '@ckeditor/ckeditor5-font@47.4.0':
     dependencies:
@@ -16666,8 +16691,6 @@ snapshots:
       '@ckeditor/ckeditor5-ui': 47.4.0
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-indent@47.4.0':
     dependencies:
@@ -16791,8 +16814,6 @@ snapshots:
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
       es-toolkit: 1.39.5
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-merge-fields@47.4.0':
     dependencies:
@@ -16805,8 +16826,6 @@ snapshots:
       '@ckeditor/ckeditor5-widget': 47.4.0
       ckeditor5: 47.4.0
       es-toolkit: 1.39.5
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-minimap@47.4.0':
     dependencies:
@@ -16815,8 +16834,6 @@ snapshots:
       '@ckeditor/ckeditor5-ui': 47.4.0
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-operations-compressor@47.4.0':
     dependencies:
@@ -16871,8 +16888,6 @@ snapshots:
       '@ckeditor/ckeditor5-utils': 47.4.0
       '@ckeditor/ckeditor5-widget': 47.4.0
       ckeditor5: 47.4.0
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-pagination@47.4.0':
     dependencies:
@@ -16992,8 +17007,6 @@ snapshots:
       '@ckeditor/ckeditor5-ui': 47.4.0
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-source-editing-enhanced@47.4.0':
     dependencies:
@@ -17041,8 +17054,6 @@ snapshots:
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
       es-toolkit: 1.39.5
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-table@47.4.0':
     dependencies:
@@ -17055,8 +17066,6 @@ snapshots:
       '@ckeditor/ckeditor5-widget': 47.4.0
       ckeditor5: 47.4.0
       es-toolkit: 1.39.5
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-template@47.4.0':
     dependencies:
@@ -17131,8 +17140,6 @@ snapshots:
       '@ckeditor/ckeditor5-icons': 47.4.0
       '@ckeditor/ckeditor5-ui': 47.4.0
       '@ckeditor/ckeditor5-utils': 47.4.0
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-upload@47.4.0':
     dependencies:
@@ -17169,8 +17176,6 @@ snapshots:
       '@ckeditor/ckeditor5-engine': 47.4.0
       '@ckeditor/ckeditor5-utils': 47.4.0
       es-toolkit: 1.39.5
-    transitivePeerDependencies:
-      - supports-color
 
   '@ckeditor/ckeditor5-widget@47.4.0':
     dependencies:
@@ -17190,8 +17195,6 @@ snapshots:
       '@ckeditor/ckeditor5-utils': 47.4.0
       ckeditor5: 47.4.0
       es-toolkit: 1.39.5
-    transitivePeerDependencies:
-      - supports-color
 
   '@codemirror/autocomplete@6.18.6':
     dependencies:
@@ -17615,6 +17618,15 @@ snapshots:
       - bluebird
       - supports-color
 
+  '@electron-forge/plugin-fuses@7.11.1(@electron/fuses@1.0.0)':
+    dependencies:
+      '@electron-forge/plugin-base': 7.11.1
+      '@electron-forge/shared-types': 7.11.1
+      '@electron/fuses': 1.0.0
+    transitivePeerDependencies:
+      - bluebird
+      - supports-color
+
   '@electron-forge/publisher-base@7.11.1':
     dependencies:
       '@electron-forge/shared-types': 7.11.1
@@ -17697,6 +17709,10 @@ snapshots:
       glob: 7.2.3
       minimatch: 3.1.2
 
+  '@electron/fuses@1.0.0':
+    dependencies:
+      fs-extra: 9.1.0
+
   '@electron/get@2.0.3':
     dependencies:
       debug: 4.4.3(supports-color@8.1.1)