respect safeImport flag when sanitizing imported content

2025-10-31 11:39:01 +01:00 · 2023-10-21 17:54:07 +02:00 · 2023-10-21 17:54:07 +02:00 · 90c0a4a437
commit 90c0a4a437
parent 692f7868bc
3 changed files with 13 additions and 14 deletions
--- a/src/services/html_sanitizer.js
+++ b/src/services/html_sanitizer.js
@ -33,17 +33,7 @@ function sanitize(dirtyHtml) {
            'en-media' // for ENEX import
        ],
        allowedAttributes: {
-            'a': [ 'href', 'class' ],
-            'img': [ 'src' ],
-            'section': [ 'class', 'data-note-id' ],
-            'figure': [ 'class' ],
-            'span': [ 'class', 'style' ],
-            'label': [ 'class' ],
-            'input': [ 'class', 'type', 'disabled' ],
-            'code': [ 'class' ],
-            'ul': [ 'class' ],
-            'table': [ 'class' ],
-            'en-media': [ 'hash' ]
+            '*': [ 'class', 'style', 'title', 'src', 'href', 'hash', 'disabled', 'align', 'alt', 'center', 'data-*' ]
        },
        allowedSchemes: [
            'http', 'https', 'ftp', 'ftps', 'mailto', 'data', 'evernote', 'file', 'facetime', 'irc', 'gemini', 'git',
--- a/src/services/import/single.js
+++ b/src/services/import/single.js
@ -121,7 +121,11 @@ function importMarkdown(taskContext, file, parentNote) {
    const title = utils.getNoteTitle(file.originalname, taskContext.data.replaceUnderscoresWithSpaces);

    const markdownContent = file.buffer.toString("utf-8");
-    const htmlContent = markdownService.renderToHtml(markdownContent, title);
+    let htmlContent = markdownService.renderToHtml(markdownContent, title);
+
+    if (taskContext.data.safeImport) {
+        htmlContent = htmlSanitizer.sanitize(htmlContent);
+    }

    const {note} = noteService.createNewNote({
        parentNoteId: parentNote.noteId,
@ -141,7 +145,10 @@ function importHtml(taskContext, file, parentNote) {
    const title = utils.getNoteTitle(file.originalname, taskContext.data.replaceUnderscoresWithSpaces);
    let content = file.buffer.toString("utf-8");

+    if (taskContext.data.safeImport) {
        content = htmlSanitizer.sanitize(content);
+    }
+
    content = importUtils.handleH1(content, title);

    const {note} = noteService.createNewNote({
--- a/src/services/import/zip.js
+++ b/src/services/import/zip.js
@ -321,7 +321,9 @@ async function importZip(taskContext, fileBuffer, importRootNote) {
            }
        });

+        if (taskContext.data.safeImport) {
            content = htmlSanitizer.sanitize(content);
+        }

        content = content.replace(/<html.*<body[^>]*>/gis, "");
        content = content.replace(/<\/body>.*<\/html>/gis, "");