html_sanitizer: Demote H1 tags (#2190)

Generalize clipper.js support for removing H1 tags so it also applies to
imports. This will move all heading levels down to make room if
needed, only leaving duplicates at H6.
This commit is contained in:
Ben Jackson 2021-10-03 11:56:08 -07:00 committed by GitHub
parent ec3b844026
commit 6ae8508413
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 5 deletions

View File

@ -104,10 +104,7 @@ function createNote(req) {
} }
function processContent(images, note, content) { function processContent(images, note, content) {
let rewrittenContent = htmlSanitizer.sanitize(content) let rewrittenContent = htmlSanitizer.sanitize(content);
// H1 is not supported so convert it to H2
.replace(/<h1/ig, "<h2")
.replace(/<\/h1/ig, "</h2");
if (images) { if (images) {
for (const {src, dataUrl, imageId} of images) { for (const {src, dataUrl, imageId} of images) {

View File

@ -3,6 +3,24 @@ const sanitizeHtml = require('sanitize-html');
// intended mainly as protection against XSS via import // intended mainly as protection against XSS via import
// secondarily it (partly) protects against "CSS takeover" // secondarily it (partly) protects against "CSS takeover"
function sanitize(dirtyHtml) { function sanitize(dirtyHtml) {
// avoid H1 per https://github.com/zadam/trilium/issues/1552
// demote H1, and if that conflicts with existing H2, demote that, etc
let transformTags = {};
const loweraseHtml = dirtyHtml.toLowerCase();
for (let i = 1; i < 6; ++i)
{
if (loweraseHtml.includes(`<h${i}`))
{
transformTags[`h${i}`] = `h${i+1}`;
}
else
{
break;
}
}
// to minimize document changes, compress H
return sanitizeHtml(dirtyHtml, { return sanitizeHtml(dirtyHtml, {
allowedTags: [ allowedTags: [
'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
@ -20,7 +38,8 @@ function sanitize(dirtyHtml) {
'input': [ 'class', 'type', 'disabled' ], 'input': [ 'class', 'type', 'disabled' ],
'code': [ 'class' ] 'code': [ 'class' ]
}, },
allowedSchemes: ['http', 'https', 'ftp', 'mailto', 'data', 'evernote'] allowedSchemes: ['http', 'https', 'ftp', 'mailto', 'data', 'evernote'],
transformTags,
}); });
} }