2024-07-18 21:37:45 +03:00
|
|
|
import sanitizeHtml from "sanitize-html";
|
|
|
|
|
import sanitizeUrl from "@braintree/sanitize-url";
|
2024-11-17 16:08:44 -07:00
|
|
|
import optionService from "./options.js";
|
2020-06-30 23:37:06 +02:00
|
|
|
|
2024-11-18 19:52:31 -07:00
|
|
|
// Default list of allowed HTML tags
|
|
|
|
|
export const DEFAULT_ALLOWED_TAGS = [
|
2025-01-09 18:07:02 +02:00
|
|
|
"h1",
|
|
|
|
|
"h2",
|
|
|
|
|
"h3",
|
|
|
|
|
"h4",
|
|
|
|
|
"h5",
|
|
|
|
|
"h6",
|
|
|
|
|
"blockquote",
|
|
|
|
|
"p",
|
|
|
|
|
"a",
|
|
|
|
|
"ul",
|
|
|
|
|
"ol",
|
|
|
|
|
"li",
|
|
|
|
|
"b",
|
|
|
|
|
"i",
|
|
|
|
|
"strong",
|
|
|
|
|
"em",
|
|
|
|
|
"strike",
|
|
|
|
|
"s",
|
|
|
|
|
"del",
|
|
|
|
|
"abbr",
|
|
|
|
|
"code",
|
|
|
|
|
"hr",
|
|
|
|
|
"br",
|
|
|
|
|
"div",
|
|
|
|
|
"table",
|
|
|
|
|
"thead",
|
|
|
|
|
"caption",
|
|
|
|
|
"tbody",
|
|
|
|
|
"tfoot",
|
|
|
|
|
"tr",
|
|
|
|
|
"th",
|
|
|
|
|
"td",
|
|
|
|
|
"pre",
|
|
|
|
|
"section",
|
|
|
|
|
"img",
|
|
|
|
|
"figure",
|
|
|
|
|
"figcaption",
|
|
|
|
|
"span",
|
|
|
|
|
"label",
|
|
|
|
|
"input",
|
|
|
|
|
"details",
|
|
|
|
|
"summary",
|
|
|
|
|
"address",
|
|
|
|
|
"aside",
|
|
|
|
|
"footer",
|
|
|
|
|
"header",
|
|
|
|
|
"hgroup",
|
|
|
|
|
"main",
|
|
|
|
|
"nav",
|
|
|
|
|
"dl",
|
|
|
|
|
"dt",
|
|
|
|
|
"menu",
|
|
|
|
|
"bdi",
|
|
|
|
|
"bdo",
|
|
|
|
|
"dfn",
|
|
|
|
|
"kbd",
|
|
|
|
|
"mark",
|
|
|
|
|
"q",
|
|
|
|
|
"time",
|
|
|
|
|
"var",
|
|
|
|
|
"wbr",
|
|
|
|
|
"area",
|
|
|
|
|
"map",
|
|
|
|
|
"track",
|
|
|
|
|
"video",
|
|
|
|
|
"audio",
|
|
|
|
|
"picture",
|
|
|
|
|
"del",
|
|
|
|
|
"ins",
|
|
|
|
|
"en-media", // for ENEX import
|
2024-11-18 19:52:31 -07:00
|
|
|
// Additional tags (https://github.com/TriliumNext/Notes/issues/567)
|
2025-01-09 18:07:02 +02:00
|
|
|
"acronym",
|
|
|
|
|
"article",
|
|
|
|
|
"big",
|
|
|
|
|
"button",
|
|
|
|
|
"cite",
|
|
|
|
|
"col",
|
|
|
|
|
"colgroup",
|
|
|
|
|
"data",
|
|
|
|
|
"dd",
|
|
|
|
|
"fieldset",
|
|
|
|
|
"form",
|
|
|
|
|
"legend",
|
|
|
|
|
"meter",
|
|
|
|
|
"noscript",
|
|
|
|
|
"option",
|
|
|
|
|
"progress",
|
|
|
|
|
"rp",
|
|
|
|
|
"samp",
|
|
|
|
|
"small",
|
|
|
|
|
"sub",
|
|
|
|
|
"sup",
|
|
|
|
|
"template",
|
|
|
|
|
"textarea",
|
|
|
|
|
"tt"
|
2024-11-18 19:52:31 -07:00
|
|
|
] as const;
|
|
|
|
|
|
2020-06-30 23:37:06 +02:00
|
|
|
// intended mainly as protection against XSS via import
|
2023-06-29 22:10:13 +02:00
|
|
|
// secondarily, it (partly) protects against "CSS takeover"
|
|
|
|
|
// sanitize also note titles, label values etc. - there are so many usages which make it difficult
|
|
|
|
|
// to guarantee all of them are properly handled
|
2024-02-17 21:33:47 +02:00
|
|
|
function sanitize(dirtyHtml: string) {
|
2021-12-30 21:06:45 +01:00
|
|
|
if (!dirtyHtml) {
|
|
|
|
|
return dirtyHtml;
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-03 11:56:08 -07:00
|
|
|
// avoid H1 per https://github.com/zadam/trilium/issues/1552
|
|
|
|
|
// demote H1, and if that conflicts with existing H2, demote that, etc
|
2024-02-17 21:33:47 +02:00
|
|
|
const transformTags: Record<string, string> = {};
|
2021-10-03 23:01:22 +02:00
|
|
|
const lowercasedHtml = dirtyHtml.toLowerCase();
|
|
|
|
|
for (let i = 1; i < 6; ++i) {
|
|
|
|
|
if (lowercasedHtml.includes(`<h${i}`)) {
|
|
|
|
|
transformTags[`h${i}`] = `h${i + 1}`;
|
2025-01-09 18:07:02 +02:00
|
|
|
} else {
|
2021-10-03 11:56:08 -07:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-11-17 16:08:44 -07:00
|
|
|
// Get allowed tags from options, with fallback to default list if option not yet set
|
|
|
|
|
let allowedTags;
|
|
|
|
|
try {
|
2025-01-09 18:07:02 +02:00
|
|
|
allowedTags = JSON.parse(optionService.getOption("allowedHtmlTags"));
|
2024-11-17 16:08:44 -07:00
|
|
|
} catch (e) {
|
|
|
|
|
// Fallback to default list if option doesn't exist or is invalid
|
2024-11-18 19:52:31 -07:00
|
|
|
allowedTags = DEFAULT_ALLOWED_TAGS;
|
2024-11-17 16:08:44 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// to minimize document changes, compress H
|
|
|
|
|
return sanitizeHtml(dirtyHtml, {
|
|
|
|
|
allowedTags,
|
2020-06-30 23:37:06 +02:00
|
|
|
allowedAttributes: {
|
2025-01-09 18:07:02 +02:00
|
|
|
"*": ["class", "style", "title", "src", "href", "hash", "disabled", "align", "alt", "center", "data-*"],
|
|
|
|
|
input: ["type", "checked"]
|
2020-07-27 23:40:14 +02:00
|
|
|
},
|
2024-11-29 18:01:12 +08:00
|
|
|
// Be consistent with `allowedSchemes` in `src\public\app\services\link.js`
|
2023-03-12 21:20:34 +01:00
|
|
|
allowedSchemes: [
|
2025-01-09 18:07:02 +02:00
|
|
|
"http",
|
|
|
|
|
"https",
|
|
|
|
|
"ftp",
|
|
|
|
|
"ftps",
|
|
|
|
|
"mailto",
|
|
|
|
|
"data",
|
|
|
|
|
"evernote",
|
|
|
|
|
"file",
|
|
|
|
|
"facetime",
|
|
|
|
|
"gemini",
|
|
|
|
|
"git",
|
|
|
|
|
"gopher",
|
|
|
|
|
"imap",
|
|
|
|
|
"irc",
|
|
|
|
|
"irc6",
|
|
|
|
|
"jabber",
|
|
|
|
|
"jar",
|
|
|
|
|
"lastfm",
|
|
|
|
|
"ldap",
|
|
|
|
|
"ldaps",
|
|
|
|
|
"magnet",
|
|
|
|
|
"message",
|
|
|
|
|
"mumble",
|
|
|
|
|
"nfs",
|
|
|
|
|
"onenote",
|
|
|
|
|
"pop",
|
|
|
|
|
"rmi",
|
|
|
|
|
"s3",
|
|
|
|
|
"sftp",
|
|
|
|
|
"skype",
|
|
|
|
|
"sms",
|
|
|
|
|
"spotify",
|
|
|
|
|
"steam",
|
|
|
|
|
"svn",
|
|
|
|
|
"udp",
|
|
|
|
|
"view-source",
|
|
|
|
|
"vlc",
|
|
|
|
|
"vnc",
|
|
|
|
|
"ws",
|
|
|
|
|
"wss",
|
|
|
|
|
"xmpp",
|
|
|
|
|
"jdbc",
|
|
|
|
|
"slack",
|
|
|
|
|
"tel",
|
|
|
|
|
"smb",
|
|
|
|
|
"zotero",
|
|
|
|
|
"geo"
|
2024-11-28 19:41:45 +02:00
|
|
|
],
|
2025-01-09 18:07:02 +02:00
|
|
|
nonTextTags: ["head"],
|
2024-11-28 19:41:45 +02:00
|
|
|
transformTags
|
2020-06-30 23:37:06 +02:00
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
2024-07-18 21:47:30 +03:00
|
|
|
export default {
|
2023-01-03 20:44:31 +02:00
|
|
|
sanitize,
|
2024-02-17 21:33:47 +02:00
|
|
|
sanitizeUrl: (url: string) => {
|
|
|
|
|
return sanitizeUrl.sanitizeUrl(url).trim();
|
2023-07-09 22:58:34 +02:00
|
|
|
}
|
2020-06-30 23:37:06 +02:00
|
|
|
};
|
