refactor(commons): deduplicate allowed protocols

2025-10-19 14:49:01 +02:00 · 2025-10-06 20:04:07 +03:00 · 2025-10-06 20:04:07 +03:00 · bebd3d430b
commit bebd3d430b
parent 2fca995725
3 changed files with 20 additions and 115 deletions
--- a/apps/client/src/services/link.ts
+++ b/apps/client/src/services/link.ts
@ -3,16 +3,7 @@ import linkContextMenuService from "../menus/link_context_menu.js";
 import appContext, { type NoteCommandData } from "../components/app_context.js";
 import froca from "./froca.js";
 import utils from "./utils.js";
-
-// Be consistent with `allowedSchemes` in `src\services\html_sanitizer.ts`
-// TODO: Deduplicate with server once we can.
-export const ALLOWED_PROTOCOLS = [
-    'http', 'https', 'ftp', 'ftps', 'mailto', 'data', 'evernote', 'file', 'facetime', 'gemini', 'git',
-    'gopher', 'imap', 'irc', 'irc6', 'jabber', 'jar', 'lastfm', 'ldap', 'ldaps', 'magnet', 'message',
-    'mumble', 'nfs', 'onenote', 'pop', 'rmi', 's3', 'sftp', 'skype', 'sms', 'spotify', 'steam', 'svn', 'udp',
-    'view-source', 'vlc', 'vnc', 'ws', 'wss', 'xmpp', 'jdbc', 'slack', 'tel', 'smb', 'zotero', 'geo',
-    'mid'
-];
+import { ALLOWED_PROTOCOLS } from "@triliumnext/commons";

 function getNotePathFromUrl(url: string) {
    const notePathMatch = /#(root[A-Za-z0-9_/]*)$/.exec(url);
--- a/apps/server/src/services/html_sanitizer.ts
+++ b/apps/server/src/services/html_sanitizer.ts
@ -1,17 +1,7 @@
 import sanitizeHtml from "sanitize-html";
 import { sanitizeUrl } from "@braintree/sanitize-url";
 import optionService from "./options.js";
-import { SANITIZER_DEFAULT_ALLOWED_TAGS } from "@triliumnext/commons";
-
-// Be consistent with `ALLOWED_PROTOCOLS` in `src\public\app\services\link.js`
-// TODO: Deduplicate with client once we can.
-export const ALLOWED_PROTOCOLS = [
-    'http', 'https', 'ftp', 'ftps', 'mailto', 'data', 'evernote', 'file', 'facetime', 'gemini', 'git',
-    'gopher', 'imap', 'irc', 'irc6', 'jabber', 'jar', 'lastfm', 'ldap', 'ldaps', 'magnet', 'message',
-    'mumble', 'nfs', 'onenote', 'pop', 'rmi', 's3', 'sftp', 'skype', 'sms', 'spotify', 'steam', 'svn', 'udp',
-    'view-source', 'vlc', 'vnc', 'ws', 'wss', 'xmpp', 'jdbc', 'slack', 'tel', 'smb', 'zotero', 'geo',
-    'mid'
-];
+import { ALLOWED_PROTOCOLS, SANITIZER_DEFAULT_ALLOWED_TAGS } from "@triliumnext/commons";

 // intended mainly as protection against XSS via import
 // secondarily, it (partly) protects against "CSS takeover"
--- a/packages/commons/src/lib/shared_constants.ts
+++ b/packages/commons/src/lib/shared_constants.ts
@ -1,98 +1,22 @@
 // Default list of allowed HTML tags
 export const SANITIZER_DEFAULT_ALLOWED_TAGS = [
-    "h1",
-    "h2",
-    "h3",
-    "h4",
-    "h5",
-    "h6",
-    "blockquote",
-    "p",
-    "a",
-    "ul",
-    "ol",
-    "li",
-    "b",
-    "i",
-    "strong",
-    "em",
-    "strike",
-    "s",
-    "del",
-    "abbr",
-    "code",
-    "hr",
-    "br",
-    "div",
-    "table",
-    "thead",
-    "caption",
-    "tbody",
-    "tfoot",
-    "tr",
-    "th",
-    "td",
-    "pre",
-    "section",
-    "img",
-    "figure",
-    "figcaption",
-    "span",
-    "label",
-    "input",
-    "details",
-    "summary",
-    "address",
-    "aside",
-    "footer",
-    "header",
-    "hgroup",
-    "main",
-    "nav",
-    "dl",
-    "dt",
-    "menu",
-    "bdi",
-    "bdo",
-    "dfn",
-    "kbd",
-    "mark",
-    "q",
-    "time",
-    "var",
-    "wbr",
-    "area",
-    "map",
-    "track",
-    "video",
-    "audio",
-    "picture",
-    "del",
-    "ins",
-    "en-media", // for ENEX import
+    "h1", "h2", "h3", "h4", "h5", "h6", "blockquote", "p", "a", "ul", "ol", "li", "b", "i", "strong", "em",
+    "strike", "s", "del", "abbr", "code", "hr", "br", "div", "table", "thead", "caption", "tbody", "tfoot",
+    "tr", "th", "td", "pre", "section", "img", "figure", "figcaption", "span", "label", "input", "details",
+    "summary", "address", "aside", "footer", "header", "hgroup", "main", "nav", "dl", "dt", "menu", "bdi",
+    "bdo", "dfn", "kbd", "mark", "q", "time", "var", "wbr", "area", "map", "track", "video", "audio", "picture",
+    "del", "ins",
+    // for ENEX import
+    "en-media",
    // Additional tags (https://github.com/TriliumNext/Trilium/issues/567)
-    "acronym",
-    "article",
-    "big",
-    "button",
-    "cite",
-    "col",
-    "colgroup",
-    "data",
-    "dd",
-    "fieldset",
-    "form",
-    "legend",
-    "meter",
-    "noscript",
-    "option",
-    "progress",
-    "rp",
-    "samp",
-    "small",
-    "sub",
-    "sup",
-    "template",
-    "textarea",
-    "tt"
+    "acronym", "article", "big", "button", "cite", "col", "colgroup", "data", "dd", "fieldset", "form", "legend",
+    "meter", "noscript", "option", "progress", "rp", "samp", "small", "sub", "sup", "template", "textarea", "tt"
 ] as const;
+
+export const ALLOWED_PROTOCOLS = [
+    'http', 'https', 'ftp', 'ftps', 'mailto', 'data', 'evernote', 'file', 'facetime', 'gemini', 'git',
+    'gopher', 'imap', 'irc', 'irc6', 'jabber', 'jar', 'lastfm', 'ldap', 'ldaps', 'magnet', 'message',
+    'mumble', 'nfs', 'onenote', 'pop', 'rmi', 's3', 'sftp', 'skype', 'sms', 'spotify', 'steam', 'svn', 'udp',
+    'view-source', 'vlc', 'vnc', 'ws', 'wss', 'xmpp', 'jdbc', 'slack', 'tel', 'smb', 'zotero', 'geo',
+    'mid'
+];