🎨 Do not execute scripts in HTML blocks by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/11172

2026-02-20 05:58:07 +01:00 · 2024-04-27 23:01:31 +08:00 · 2024-04-27 23:01:31 +08:00 · 34caeb5871
commit 34caeb5871
parent 239a1434e1
10 changed files with 39 additions and 2 deletions
--- a/app/src/config/editor.ts
+++ b/app/src/config/editor.ts
@ -267,6 +267,14 @@ export const editor = {
        <textarea class="b3-text-field fn__block" id="katexMacros" spellcheck="false">${window.siyuan.config.editor.katexMacros}</textarea>
    </div>
 </div>
+<label class="fn__flex b3-label">
+    <div class="fn__flex-1">
+        ${window.siyuan.languages.allowHTMLBLockScript}
+        <div class="b3-label__text">${window.siyuan.languages.allowHTMLBLockScriptTip}</div>
+    </div>
+    <span class="fn__space"></span>
+    <input class="b3-switch fn__flex-center" id="allowHTMLBLockScript" type="checkbox"${window.siyuan.config.editor.allowHTMLBLockScript ? " checked" : ""}/>
+</label>
 <label class="fn__flex b3-label">
    <div class="fn__flex-1">
        ${window.siyuan.languages.editorMarkdownInlineSup}
@ -338,6 +346,7 @@ export const editor = {
            fetchPost("/api/setting/setEditor", {
                fullWidth: (editor.element.querySelector("#fullWidth") as HTMLInputElement).checked,
                markdown: markdown,
+                allowHTMLBLockScript: (editor.element.querySelector("#allowHTMLBLockScript") as HTMLInputElement).checked,
                justify: (editor.element.querySelector("#justify") as HTMLInputElement).checked,
                rtl: (editor.element.querySelector("#rtl") as HTMLInputElement).checked,
                readOnly: (editor.element.querySelector("#readOnly") as HTMLInputElement).checked,
--- a/app/src/config/search.ts
+++ b/app/src/config/search.ts
@ -22,7 +22,9 @@ export const initConfigSearch = (element: HTMLElement, app: App) => {
            "outdent", "floatWindowMode", "floatWindowModeTip", "justify", "justifyTip", "rtl", "rtlTip", "spellcheck",
            "spellcheckTip", "backlinkExpand", "backlinkExpandTip", "onlySearchForDoc", "onlySearchForDocTip",
            "dynamicLoadBlocks", "dynamicLoadBlocksTip", "fontSizeScrollZoom", "fontSizeScrollZoomTip",
-            "listItemDotNumberClickFocus", "listItemDotNumberClickFocusTip"
+            "listItemDotNumberClickFocus", "listItemDotNumberClickFocusTip", "editorMarkdownInlineSup", "editorMarkdownInlineSupTip",
+            "editorMarkdownInlineSub", "editorMarkdownInlineSubTip", "editorMarkdownInlineTag", "editorMarkdownInlineTagTip",
+            "editorMarkdownInlineMath", "editorMarkdownInlineMathTip", "allowHTMLBLockScript", "allowHTMLBLockScriptTip",
        ]),

        // 文档树
--- a/app/src/types/config.d.ts
+++ b/app/src/types/config.d.ts
@ -306,6 +306,11 @@ declare namespace Config {
     */
    export interface IEditor {

+        /**
+         * Whether to allow to execute javascript in the HTML block
+         */
+        allowHTMLBLockScript: boolean;
+
        /**
         * Markdown configuration
         */