gaschz/trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-10-31 03:29:02 +01:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

read allowedTags from options, fall back to static

Browse Source
This commit is contained in:
maphew 2024-11-17 16:08:44 -07:00
parent 9ef899eec5
commit d08f09ae3b
2 changed files with 29 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/services/html_sanitizer.ts
View File

@ -1,5 +1,6 @@
import sanitizeHtml from "sanitize-html"; import sanitizeHtml from "sanitize-html";
import sanitizeUrl from "@braintree/sanitize-url"; import sanitizeUrl from "@braintree/sanitize-url";
import optionService from "./options.js";
// intended mainly as protection against XSS via import // intended mainly as protection against XSS via import
// secondarily, it (partly) protects against "CSS takeover" // secondarily, it (partly) protects against "CSS takeover"
@ -23,9 +24,13 @@ function sanitize(dirtyHtml: string) {
} }
} }
// to minimize document changes, compress H // Get allowed tags from options, with fallback to default list if option not yet set
return sanitizeHtml(dirtyHtml, { let allowedTags;
allowedTags: [ try {
allowedTags = JSON.parse(optionService.getOption('allowedHtmlTags'));
} catch (e) {
// Fallback to default list if option doesn't exist or is invalid
allowedTags = [
'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div', 'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div',
'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img', 'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img',
@ -37,7 +42,12 @@ function sanitize(dirtyHtml: string) {
'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd', 'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd',
'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp', 'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp',
'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt' 'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt'
], ];
}
// to minimize document changes, compress H
return sanitizeHtml(dirtyHtml, {
allowedTags,
allowedAttributes: { allowedAttributes: {
'*': [ 'class', 'style', 'title', 'src', 'href', 'hash', 'disabled', 'align', 'alt', 'center', 'data-*' ] '*': [ 'class', 'style', 'title', 'src', 'href', 'hash', 'disabled', 'align', 'alt', 'center', 'data-*' ]
}, },

16
src/services/options_init.ts
View File

@ -134,7 +134,21 @@ const defaultOptions: DefaultOption[] = [
{ name: "codeBlockWordWrap", value: "false", isSynced: true }, { name: "codeBlockWordWrap", value: "false", isSynced: true },
// Text note configuration // Text note configuration
{ name: "textNoteEditorType", value: "ckeditor-balloon", isSynced: true } { name: "textNoteEditorType", value: "ckeditor-balloon", isSynced: true },
// HTML sanitization configuration
{ name: "allowedHtmlTags", value: JSON.stringify([
'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div',
'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img',
'figure', 'figcaption', 'span', 'label', 'input', 'details', 'summary', 'address', 'aside', 'footer',
'header', 'hgroup', 'main', 'nav', 'dl', 'dt', 'menu', 'bdi', 'bdo', 'dfn', 'kbd', 'mark', 'q', 'time',
'var', 'wbr', 'area', 'map', 'track', 'video', 'audio', 'picture', 'del', 'ins',
'en-media',
'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd',
'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp',
'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt'
]), isSynced: true }
]; ];
/** /**