diff --git a/src/public/app/widgets/type_widgets/options/other/html_import_tags.js b/src/public/app/widgets/type_widgets/options/other/html_import_tags.js index 30a77e256..818abf499 100644 --- a/src/public/app/widgets/type_widgets/options/other/html_import_tags.js +++ b/src/public/app/widgets/type_widgets/options/other/html_import_tags.js @@ -1,5 +1,6 @@ import OptionsWidget from "../options_widget.js"; import { t } from "../../../../services/i18n.js"; +import { DEFAULT_ALLOWED_TAGS } from "../../../../services/html_sanitizer.js"; const TPL = `
@@ -21,19 +22,6 @@ const TPL = `
`; -const defaultTags = [ - 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', - 'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div', - 'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img', - 'figure', 'figcaption', 'span', 'label', 'input', 'details', 'summary', 'address', 'aside', 'footer', - 'header', 'hgroup', 'main', 'nav', 'dl', 'dt', 'menu', 'bdi', 'bdo', 'dfn', 'kbd', 'mark', 'q', 'time', - 'var', 'wbr', 'area', 'map', 'track', 'video', 'audio', 'picture', 'del', 'ins', - 'en-media', - 'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd', - 'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp', - 'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt' -]; - export default class HtmlImportTagsOptions extends OptionsWidget { doRender() { this.$widget = $(TPL); @@ -48,7 +36,7 @@ export default class HtmlImportTagsOptions extends OptionsWidget { // Load initial tags this.refresh(); } - + async optionsLoaded(options) { try { if (options.allowedHtmlTags) { @@ -56,16 +44,16 @@ export default class HtmlImportTagsOptions extends OptionsWidget { this.$allowedTags.val(tags.join(' ')); } else { // If no tags are set, show the defaults - this.$allowedTags.val(defaultTags.join(' ')); + this.$allowedTags.val(DEFAULT_ALLOWED_TAGS.join(' ')); } } catch (e) { console.error('Could not load HTML tags:', e); // On error, show the defaults - this.$allowedTags.val(defaultTags.join(' ')); + this.$allowedTags.val(DEFAULT_ALLOWED_TAGS.join(' ')); } } - + async saveTags() { const tagsText = this.$allowedTags.val(); const tags = tagsText.split(/[\n,\s]+/) // Split on newlines, commas, or spaces @@ -74,9 +62,9 @@ export default class HtmlImportTagsOptions extends OptionsWidget { await this.updateOption('allowedHtmlTags', JSON.stringify(tags)); } - + async resetToDefault() { - this.$allowedTags.val(defaultTags.join('\n')); // Use actual newline + this.$allowedTags.val(DEFAULT_ALLOWED_TAGS.join('\n')); // Use actual newline await this.saveTags(); } } diff --git a/src/services/html_sanitizer.ts b/src/services/html_sanitizer.ts index acfa75434..d0a8c14cd 100644 --- a/src/services/html_sanitizer.ts +++ b/src/services/html_sanitizer.ts @@ -2,6 +2,21 @@ import sanitizeHtml from "sanitize-html"; import sanitizeUrl from "@braintree/sanitize-url"; import optionService from "./options.js"; +// Default list of allowed HTML tags +export const DEFAULT_ALLOWED_TAGS = [ + 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', + 'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div', + 'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img', + 'figure', 'figcaption', 'span', 'label', 'input', 'details', 'summary', 'address', 'aside', 'footer', + 'header', 'hgroup', 'main', 'nav', 'dl', 'dt', 'menu', 'bdi', 'bdo', 'dfn', 'kbd', 'mark', 'q', 'time', + 'var', 'wbr', 'area', 'map', 'track', 'video', 'audio', 'picture', 'del', 'ins', + 'en-media', // for ENEX import + // Additional tags (https://github.com/TriliumNext/Notes/issues/567) + 'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd', + 'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp', + 'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt' +] as const; + // intended mainly as protection against XSS via import // secondarily, it (partly) protects against "CSS takeover" // sanitize also note titles, label values etc. - there are so many usages which make it difficult @@ -30,19 +45,7 @@ function sanitize(dirtyHtml: string) { allowedTags = JSON.parse(optionService.getOption('allowedHtmlTags')); } catch (e) { // Fallback to default list if option doesn't exist or is invalid - allowedTags = [ - 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', - 'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div', - 'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img', - 'figure', 'figcaption', 'span', 'label', 'input', 'details', 'summary', 'address', 'aside', 'footer', - 'header', 'hgroup', 'main', 'nav', 'dl', 'dt', 'menu', 'bdi', 'bdo', 'dfn', 'kbd', 'mark', 'q', 'time', - 'var', 'wbr', 'area', 'map', 'track', 'video', 'audio', 'picture', 'del', 'ins', - 'en-media', // for ENEX import - // Additional tags (https://github.com/TriliumNext/Notes/issues/567) - 'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd', - 'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp', - 'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt' - ]; + allowedTags = DEFAULT_ALLOWED_TAGS; } // to minimize document changes, compress H