Notes/src/services/html_sanitizer.js

const sanitizeHtml = require('sanitize-html');

// intended mainly as protection against XSS via import
// secondarily it (partly) protects against "CSS takeover"
function sanitize(dirtyHtml) {

    // avoid H1 per https://github.com/zadam/trilium/issues/1552
    // demote H1, and if that conflicts with existing H2, demote that, etc
    let transformTags = {};
    const loweraseHtml = dirtyHtml.toLowerCase();
    for (let i = 1; i < 6; ++i)
    {
        if (loweraseHtml.includes(`<h${i}`))
        {
            transformTags[`h${i}`] = `h${i+1}`;
        }
        else
        {
            break;
        }
    }

    // to minimize document changes, compress H
    return sanitizeHtml(dirtyHtml, {
        allowedTags: [
            'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
            'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div',
            'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'section', 'img',
            'figure', 'figcaption', 'span', 'label', 'input'
        ],
        allowedAttributes: {
            'a': [ 'href', 'class', 'data-note-path' ],
            'img': [ 'src' ],
            'section': [ 'class', 'data-note-id' ],
            'figure': [ 'class' ],
            'span': [ 'class', 'style' ],
            'label': [ 'class' ],
            'input': [ 'class', 'type', 'disabled' ],
            'code': [ 'class' ]
        },
        allowedSchemes: ['http', 'https', 'ftp', 'mailto', 'data', 'evernote'],
        transformTags,
    });
}

module.exports = {
    sanitize
};
html sanitize imported notes, #1137 2020-06-30 23:37:06 +02:00			`const sanitizeHtml = require('sanitize-html');`

			`// intended mainly as protection against XSS via import`
			`// secondarily it (partly) protects against "CSS takeover"`
			`function sanitize(dirtyHtml) {`
html_sanitizer: Demote H1 tags (#2190) Generalize clipper.js support for removing H1 tags so it also applies to imports. This will move all heading levels down to make room if needed, only leaving duplicates at H6. 2021-10-03 11:56:08 -07:00
			`// avoid H1 per https://github.com/zadam/trilium/issues/1552`
			`// demote H1, and if that conflicts with existing H2, demote that, etc`
			`let transformTags = {};`
			`const loweraseHtml = dirtyHtml.toLowerCase();`
			`for (let i = 1; i < 6; ++i)`
			`{`
			if (loweraseHtml.includes(`<h${i}`))
			`{`
			transformTags[`h${i}`] = `h${i+1}`;
			`}`
			`else`
			`{`
			`break;`
			`}`
			`}`

			`// to minimize document changes, compress H`
html sanitize imported notes, #1137 2020-06-30 23:37:06 +02:00			`return sanitizeHtml(dirtyHtml, {`
			`allowedTags: [`
convert H1 to H2 also during import 2020-11-01 20:38:39 +01:00			`'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',`
fix imported strikethrough text, closes #2110 2021-08-21 21:31:30 +02:00			`'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div',`
removed detail.css, added to individual type widgets 2020-07-01 23:35:00 +02:00			`'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'section', 'img',`
fix importing image captions, closes #2113 (cherry picked from commit e050e380b9e44d2e282074d3ca7ca19b33761be4) 2021-08-20 21:40:28 +02:00			`'figure', 'figcaption', 'span', 'label', 'input'`
html sanitize imported notes, #1137 2020-06-30 23:37:06 +02:00			`],`
			`allowedAttributes: {`
imported internal links crash ckeditor, #1979 2021-05-25 21:45:59 +02:00			`'a': [ 'href', 'class', 'data-note-path' ],`
html sanitize imported notes, #1137 2020-06-30 23:37:06 +02:00			`'img': [ 'src' ],`
			`'section': [ 'class', 'data-note-id' ],`
			`'figure': [ 'class' ],`
			`'span': [ 'class', 'style' ],`
			`'label': [ 'class' ],`
			`'input': [ 'class', 'type', 'disabled' ],`
			`'code': [ 'class' ]`
import fixes 2020-07-27 23:40:14 +02:00			`},`
html_sanitizer: Demote H1 tags (#2190) Generalize clipper.js support for removing H1 tags so it also applies to imports. This will move all heading levels down to make room if needed, only leaving duplicates at H6. 2021-10-03 11:56:08 -07:00			`allowedSchemes: ['http', 'https', 'ftp', 'mailto', 'data', 'evernote'],`
			`transformTags,`
html sanitize imported notes, #1137 2020-06-30 23:37:06 +02:00			`});`
			`}`

			`module.exports = {`
			`sanitize`
			`};`