diff --git a/src/public/app/services/link.ts b/src/public/app/services/link.ts index 2edccdd55..6e31f97e4 100644 --- a/src/public/app/services/link.ts +++ b/src/public/app/services/link.ts @@ -4,6 +4,15 @@ import appContext, { type NoteCommandData } from "../components/app_context.js"; import froca from "./froca.js"; import utils from "./utils.js"; +// Be consistent with `allowedSchemes` in `src\services\html_sanitizer.ts` +// TODO: Deduplicate with server once we can. +export const ALLOWED_PROTOCOLS = [ + 'http', 'https', 'ftp', 'ftps', 'mailto', 'data', 'evernote', 'file', 'facetime', 'gemini', 'git', + 'gopher', 'imap', 'irc', 'irc6', 'jabber', 'jar', 'lastfm', 'ldap', 'ldaps', 'magnet', 'message', + 'mumble', 'nfs', 'onenote', 'pop', 'rmi', 's3', 'sftp', 'skype', 'sms', 'spotify', 'steam', 'svn', 'udp', + 'view-source', 'vlc', 'vnc', 'ws', 'wss', 'xmpp', 'jdbc', 'slack', 'tel', 'smb', 'zotero', 'geo' +]; + function getNotePathFromUrl(url: string) { const notePathMatch = /#(root[A-Za-z0-9_/]*)$/.exec(url); @@ -296,58 +305,7 @@ function goToLinkExt(evt: MouseEvent | JQuery.ClickEvent | JQuery.MouseDownEvent electron.shell.openPath(hrefLink); } else { // Enable protocols supported by CKEditor 5 to be clickable. - // Refer to `allowedProtocols` in https://github.com/TriliumNext/trilium-ckeditor5/blob/main/packages/ckeditor5-build-balloon-block/src/ckeditor.ts. - // And be consistent with `allowedSchemes` in `src\services\html_sanitizer.ts` - const allowedSchemes = [ - "http", - "https", - "ftp", - "ftps", - "mailto", - "data", - "evernote", - "file", - "facetime", - "gemini", - "git", - "gopher", - "imap", - "irc", - "irc6", - "jabber", - "jar", - "lastfm", - "ldap", - "ldaps", - "magnet", - "message", - "mumble", - "nfs", - "onenote", - "pop", - "rmi", - "s3", - "sftp", - "skype", - "sms", - "spotify", - "steam", - "svn", - "udp", - "view-source", - "vlc", - "vnc", - "ws", - "wss", - "xmpp", - "jdbc", - "slack", - "tel", - "smb", - "zotero", - "geo" - ]; - if (allowedSchemes.some((protocol) => hrefLink.toLowerCase().startsWith(protocol + ":"))) { + if (ALLOWED_PROTOCOLS.some((protocol) => hrefLink.toLowerCase().startsWith(protocol + ":"))) { window.open(hrefLink, "_blank"); } } diff --git a/src/public/app/widgets/type_widgets/ckeditor/toolbars.ts b/src/public/app/widgets/type_widgets/ckeditor/toolbars.ts index 9b0da9e8b..425fa819c 100644 --- a/src/public/app/widgets/type_widgets/ckeditor/toolbars.ts +++ b/src/public/app/widgets/type_widgets/ckeditor/toolbars.ts @@ -1,3 +1,4 @@ +import { ALLOWED_PROTOCOLS } from "../../../services/link.js"; import options from "../../../services/options.js"; import utils from "../../../services/utils.js"; @@ -101,12 +102,7 @@ export function buildConfig() { }, link: { defaultProtocol: 'https://', - allowedProtocols: [ - 'http', 'https', 'ftp', 'ftps', 'mailto', 'data', 'evernote', 'file', 'facetime', 'gemini', 'git', - 'gopher', 'imap', 'irc', 'irc6', 'jabber', 'jar', 'lastfm', 'ldap', 'ldaps', 'magnet', 'message', - 'mumble', 'nfs', 'onenote', 'pop', 'rmi', 's3', 'sftp', 'skype', 'sms', 'spotify', 'steam', 'svn', 'udp', - 'view-source', 'vlc', 'vnc', 'ws', 'wss', 'xmpp', 'jdbc', 'slack', 'tel', 'smb', 'zotero', 'geo' - ] + allowedProtocols: ALLOWED_PROTOCOLS }, // This value must be kept in sync with the language defined in webpack.config.js. language: 'en' diff --git a/src/services/html_sanitizer.ts b/src/services/html_sanitizer.ts index 40f9734c9..1bac706e4 100644 --- a/src/services/html_sanitizer.ts +++ b/src/services/html_sanitizer.ts @@ -2,6 +2,15 @@ import sanitizeHtml from "sanitize-html"; import sanitizeUrl from "@braintree/sanitize-url"; import optionService from "./options.js"; +// Be consistent with `ALLOWED_PROTOCOLS` in `src\public\app\services\link.js` +// TODO: Deduplicate with client once we can. +export const ALLOWED_PROTOCOLS = [ + 'http', 'https', 'ftp', 'ftps', 'mailto', 'data', 'evernote', 'file', 'facetime', 'gemini', 'git', + 'gopher', 'imap', 'irc', 'irc6', 'jabber', 'jar', 'lastfm', 'ldap', 'ldaps', 'magnet', 'message', + 'mumble', 'nfs', 'onenote', 'pop', 'rmi', 's3', 'sftp', 'skype', 'sms', 'spotify', 'steam', 'svn', 'udp', + 'view-source', 'vlc', 'vnc', 'ws', 'wss', 'xmpp', 'jdbc', 'slack', 'tel', 'smb', 'zotero', 'geo' +]; + // Default list of allowed HTML tags export const DEFAULT_ALLOWED_TAGS = [ "h1", @@ -138,56 +147,7 @@ function sanitize(dirtyHtml: string) { "*": ["class", "style", "title", "src", "href", "hash", "disabled", "align", "alt", "center", "data-*"], input: ["type", "checked"] }, - // Be consistent with `allowedSchemes` in `src\public\app\services\link.js` - allowedSchemes: [ - "http", - "https", - "ftp", - "ftps", - "mailto", - "data", - "evernote", - "file", - "facetime", - "gemini", - "git", - "gopher", - "imap", - "irc", - "irc6", - "jabber", - "jar", - "lastfm", - "ldap", - "ldaps", - "magnet", - "message", - "mumble", - "nfs", - "onenote", - "pop", - "rmi", - "s3", - "sftp", - "skype", - "sms", - "spotify", - "steam", - "svn", - "udp", - "view-source", - "vlc", - "vnc", - "ws", - "wss", - "xmpp", - "jdbc", - "slack", - "tel", - "smb", - "zotero", - "geo" - ], + allowedSchemes: ALLOWED_PROTOCOLS, nonTextTags: ["head"], transformTags }); diff --git a/src/services/import/zip.ts b/src/services/import/zip.ts index 61534fed3..4a364c949 100644 --- a/src/services/import/zip.ts +++ b/src/services/import/zip.ts @@ -302,7 +302,9 @@ async function importZip(taskContext: TaskContext, fileBuffer: Buffer, importRoo }); if (taskContext.data?.safeImport) { + console.log("Before", content); content = htmlSanitizer.sanitize(content); + console.log("After", content); } content = content.replace(/]*>/gis, "");