Notes/src/services/html_sanitizer.ts

import sanitizeHtml from "sanitize-html";
import sanitizeUrl from "@braintree/sanitize-url";
import optionService from "./options.js";

// intended mainly as protection against XSS via import
// secondarily, it (partly) protects against "CSS takeover"
// sanitize also note titles, label values etc. - there are so many usages which make it difficult
// to guarantee all of them are properly handled
function sanitize(dirtyHtml: string) {
    if (!dirtyHtml) {
        return dirtyHtml;
    }

    // avoid H1 per https://github.com/zadam/trilium/issues/1552
    // demote H1, and if that conflicts with existing H2, demote that, etc
    const transformTags: Record<string, string> = {};
    const lowercasedHtml = dirtyHtml.toLowerCase();
    for (let i = 1; i < 6; ++i) {
        if (lowercasedHtml.includes(`<h${i}`)) {
            transformTags[`h${i}`] = `h${i + 1}`;
        }
        else {
            break;
        }
    }

    // Get allowed tags from options, with fallback to default list if option not yet set
    let allowedTags;
    try {
        allowedTags = JSON.parse(optionService.getOption('allowedHtmlTags'));
    } catch (e) {
        // Fallback to default list if option doesn't exist or is invalid
        allowedTags = [
            'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
            'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div',
            'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img',
            'figure', 'figcaption', 'span', 'label', 'input', 'details', 'summary', 'address', 'aside', 'footer',
            'header', 'hgroup', 'main', 'nav', 'dl', 'dt', 'menu', 'bdi', 'bdo', 'dfn', 'kbd', 'mark', 'q', 'time',
            'var', 'wbr', 'area', 'map', 'track', 'video', 'audio', 'picture', 'del', 'ins',
            'en-media', // for ENEX import
            // Additional tags (https://github.com/TriliumNext/Notes/issues/567)
            'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd',
            'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp',
            'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt'
        ];
    }

    // to minimize document changes, compress H
    return sanitizeHtml(dirtyHtml, {
        allowedTags,
        allowedAttributes: {
            '*': [ 'class', 'style', 'title', 'src', 'href', 'hash', 'disabled', 'align', 'alt', 'center', 'data-*' ]
        },
        allowedSchemes: [
            'http', 'https', 'ftp', 'ftps', 'mailto', 'data', 'evernote', 'file', 'facetime', 'irc', 'gemini', 'git',
            'gopher', 'imap', 'irc', 'irc6', 'jabber', 'jar', 'lastfm', 'ldap', 'ldaps', 'magnet', 'message',
            'mumble', 'nfs', 'onenote', 'pop', 'rmi', 's3', 'sftp', 'skype', 'sms', 'spotify', 'steam', 'svn', 'udp',
            'view-source', 'vnc', 'ws', 'wss', 'xmpp', 'jdbc', 'slack'
        ],
        transformTags,
    });
}

export default {
    sanitize,
    sanitizeUrl: (url: string) => {
        return sanitizeUrl.sanitizeUrl(url).trim();
    }
};
server-esm: Change simple library import statements 2024-07-18 21:37:45 +03:00			`import sanitizeHtml from "sanitize-html";`
			`import sanitizeUrl from "@braintree/sanitize-url";`
read allowedTags from options, fall back to static 2024-11-17 16:08:44 -07:00			`import optionService from "./options.js";`
html sanitize imported notes, #1137 2020-06-30 23:37:06 +02:00
			`// intended mainly as protection against XSS via import`
small refactorings 2023-06-29 22:10:13 +02:00			`// secondarily, it (partly) protects against "CSS takeover"`
			`// sanitize also note titles, label values etc. - there are so many usages which make it difficult`
			`// to guarantee all of them are properly handled`
server-ts: Port services/html_sanitizer 2024-02-17 21:33:47 +02:00			`function sanitize(dirtyHtml: string) {`
handle OPML with empty content, fixes #2495 2021-12-30 21:06:45 +01:00			`if (!dirtyHtml) {`
			`return dirtyHtml;`
			`}`

html_sanitizer: Demote H1 tags (#2190) Generalize clipper.js support for removing H1 tags so it also applies to imports. This will move all heading levels down to make room if needed, only leaving duplicates at H6. 2021-10-03 11:56:08 -07:00			`// avoid H1 per https://github.com/zadam/trilium/issues/1552`
			`// demote H1, and if that conflicts with existing H2, demote that, etc`
server-ts: Port services/html_sanitizer 2024-02-17 21:33:47 +02:00			`const transformTags: Record<string, string> = {};`
small fixes 2021-10-03 23:01:22 +02:00			`const lowercasedHtml = dirtyHtml.toLowerCase();`
			`for (let i = 1; i < 6; ++i) {`
			if (lowercasedHtml.includes(`<h${i}`)) {
			transformTags[`h${i}`] = `h${i + 1}`;
html_sanitizer: Demote H1 tags (#2190) Generalize clipper.js support for removing H1 tags so it also applies to imports. This will move all heading levels down to make room if needed, only leaving duplicates at H6. 2021-10-03 11:56:08 -07:00			`}`
small fixes 2021-10-03 23:01:22 +02:00			`else {`
html_sanitizer: Demote H1 tags (#2190) Generalize clipper.js support for removing H1 tags so it also applies to imports. This will move all heading levels down to make room if needed, only leaving duplicates at H6. 2021-10-03 11:56:08 -07:00			`break;`
			`}`
			`}`

read allowedTags from options, fall back to static 2024-11-17 16:08:44 -07:00			`// Get allowed tags from options, with fallback to default list if option not yet set`
			`let allowedTags;`
			`try {`
			`allowedTags = JSON.parse(optionService.getOption('allowedHtmlTags'));`
			`} catch (e) {`
			`// Fallback to default list if option doesn't exist or is invalid`
			`allowedTags = [`
convert H1 to H2 also during import 2020-11-01 20:38:39 +01:00			`'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',`
fix imported strikethrough text, closes #2110 2021-08-21 21:31:30 +02:00			`'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div',`
added extra elements to the html sanitizer 2023-10-21 18:03:06 +02:00			`'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img',`
			`'figure', 'figcaption', 'span', 'label', 'input', 'details', 'summary', 'address', 'aside', 'footer',`
			`'header', 'hgroup', 'main', 'nav', 'dl', 'dt', 'menu', 'bdi', 'bdo', 'dfn', 'kbd', 'mark', 'q', 'time',`
			`'var', 'wbr', 'area', 'map', 'track', 'video', 'audio', 'picture', 'del', 'ins',`
extend html tags which are kept on import https://github.com/TriliumNext/Notes/issues/567 this is the easy method, just add the tags to core, not attempting to read the list from a user configurable location. The addition is clearly marked in code. 2024-11-17 15:58:48 -07:00			`'en-media', // for ENEX import`
			`// Additional tags (https://github.com/TriliumNext/Notes/issues/567)`
			`'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd',`
			`'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp',`
			`'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt'`
read allowedTags from options, fall back to static 2024-11-17 16:08:44 -07:00			`];`
			`}`

			`// to minimize document changes, compress H`
			`return sanitizeHtml(dirtyHtml, {`
			`allowedTags,`
html sanitize imported notes, #1137 2020-06-30 23:37:06 +02:00			`allowedAttributes: {`
respect safeImport flag when sanitizing imported content 2023-10-21 17:54:07 +02:00			`'': [ 'class', 'style', 'title', 'src', 'href', 'hash', 'disabled', 'align', 'alt', 'center', 'data-' ]`
import fixes 2020-07-27 23:40:14 +02:00			`},`
added some extra allowed URI schemes, fixes #3692 2023-03-12 21:20:34 +01:00			`allowedSchemes: [`
			`'http', 'https', 'ftp', 'ftps', 'mailto', 'data', 'evernote', 'file', 'facetime', 'irc', 'gemini', 'git',`
			`'gopher', 'imap', 'irc', 'irc6', 'jabber', 'jar', 'lastfm', 'ldap', 'ldaps', 'magnet', 'message',`
Add `onenote` Scheme to html sanitizer 2023-03-13 10:36:25 -04:00			`'mumble', 'nfs', 'onenote', 'pop', 'rmi', 's3', 'sftp', 'skype', 'sms', 'spotify', 'steam', 'svn', 'udp',`
			`'view-source', 'vnc', 'ws', 'wss', 'xmpp', 'jdbc', 'slack'`
added some extra allowed URI schemes, fixes #3692 2023-03-12 21:20:34 +01:00			`],`
html_sanitizer: Demote H1 tags (#2190) Generalize clipper.js support for removing H1 tags so it also applies to imports. This will move all heading levels down to make room if needed, only leaving duplicates at H6. 2021-10-03 11:56:08 -07:00			`transformTags,`
html sanitize imported notes, #1137 2020-06-30 23:37:06 +02:00			`});`
			`}`

server-esm: Change some more export object to export default object 2024-07-18 21:47:30 +03:00			`export default {`
fix clipping selection can create multiple notes for the same Url sanitize was replacing '&' char to '&'and changing actual Url 2023-01-03 20:44:31 +02:00			`sanitize,`
server-ts: Port services/html_sanitizer 2024-02-17 21:33:47 +02:00			`sanitizeUrl: (url: string) => {`
			`return sanitizeUrl.sanitizeUrl(url).trim();`
small refactorings of clipper code 2023-07-09 22:58:34 +02:00			`}`
html sanitize imported notes, #1137 2020-06-30 23:37:06 +02:00			`};`