From 90c0a4a437f095d5f7ed7daeae9a35a9b99dabb4 Mon Sep 17 00:00:00 2001
From: zadam <zadam.apps@gmail.com>
Date: Sat, 21 Oct 2023 17:54:07 +0200
Subject: [PATCH] respect safeImport flag when sanitizing imported content

---
 src/services/html_sanitizer.js | 12 +-----------
 src/services/import/single.js  | 11 +++++++++--
 src/services/import/zip.js     |  4 +++-
 3 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/src/services/html_sanitizer.js b/src/services/html_sanitizer.js
index d6fb91c09..20fb0d70a 100644
--- a/src/services/html_sanitizer.js
+++ b/src/services/html_sanitizer.js
@@ -33,17 +33,7 @@ function sanitize(dirtyHtml) {
             'en-media' // for ENEX import
         ],
         allowedAttributes: {
-            'a': [ 'href', 'class' ],
-            'img': [ 'src' ],
-            'section': [ 'class', 'data-note-id' ],
-            'figure': [ 'class' ],
-            'span': [ 'class', 'style' ],
-            'label': [ 'class' ],
-            'input': [ 'class', 'type', 'disabled' ],
-            'code': [ 'class' ],
-            'ul': [ 'class' ],
-            'table': [ 'class' ],
-            'en-media': [ 'hash' ]
+            '*': [ 'class', 'style', 'title', 'src', 'href', 'hash', 'disabled', 'align', 'alt', 'center', 'data-*' ]
         },
         allowedSchemes: [
             'http', 'https', 'ftp', 'ftps', 'mailto', 'data', 'evernote', 'file', 'facetime', 'irc', 'gemini', 'git',
diff --git a/src/services/import/single.js b/src/services/import/single.js
index 567976f4f..31928e7fe 100644
--- a/src/services/import/single.js
+++ b/src/services/import/single.js
@@ -121,7 +121,11 @@ function importMarkdown(taskContext, file, parentNote) {
     const title = utils.getNoteTitle(file.originalname, taskContext.data.replaceUnderscoresWithSpaces);
 
     const markdownContent = file.buffer.toString("utf-8");
-    const htmlContent = markdownService.renderToHtml(markdownContent, title);
+    let htmlContent = markdownService.renderToHtml(markdownContent, title);
+
+    if (taskContext.data.safeImport) {
+        htmlContent = htmlSanitizer.sanitize(htmlContent);
+    }
 
     const {note} = noteService.createNewNote({
         parentNoteId: parentNote.noteId,
@@ -141,7 +145,10 @@ function importHtml(taskContext, file, parentNote) {
     const title = utils.getNoteTitle(file.originalname, taskContext.data.replaceUnderscoresWithSpaces);
     let content = file.buffer.toString("utf-8");
 
-    content = htmlSanitizer.sanitize(content);
+    if (taskContext.data.safeImport) {
+        content = htmlSanitizer.sanitize(content);
+    }
+
     content = importUtils.handleH1(content, title);
 
     const {note} = noteService.createNewNote({
diff --git a/src/services/import/zip.js b/src/services/import/zip.js
index d4c591610..9103d22f9 100644
--- a/src/services/import/zip.js
+++ b/src/services/import/zip.js
@@ -321,7 +321,9 @@ async function importZip(taskContext, fileBuffer, importRootNote) {
             }
         });
 
-        content = htmlSanitizer.sanitize(content);
+        if (taskContext.data.safeImport) {
+            content = htmlSanitizer.sanitize(content);
+        }
 
         content = content.replace(/<html.*<body[^>]*>/gis, "");
         content = content.replace(/<\/body>.*<\/html>/gis, "");