Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2026-03-05 12:20:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🎨 Do not execute scripts in HTML blocks by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/11172

Browse source
This commit is contained in:
Daniel 2024-04-27 23:01:31 +08:00
parent 239a1434e1
commit 34caeb5871
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
10 changed files with 39 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
app/src/config/editor.ts
View file

@ -267,6 +267,14 @@ export const editor = {
<textarea class="b3-text-field fn__block" id="katexMacros" spellcheck="false">${window.siyuan.config.editor.katexMacros}</textarea>
</div>
</div>
<label class="fn__flex b3-label">
<div class="fn__flex-1">
${window.siyuan.languages.allowHTMLBLockScript}
<div class="b3-label__text">${window.siyuan.languages.allowHTMLBLockScriptTip}</div>
</div>
<span class="fn__space"></span>
<input class="b3-switch fn__flex-center" id="allowHTMLBLockScript" type="checkbox"${window.siyuan.config.editor.allowHTMLBLockScript ? " checked" : ""}/>
</label>
<label class="fn__flex b3-label">
<div class="fn__flex-1">
${window.siyuan.languages.editorMarkdownInlineSup}
@ -338,6 +346,7 @@ export const editor = {
fetchPost("/api/setting/setEditor", {
fullWidth: (editor.element.querySelector("#fullWidth") as HTMLInputElement).checked,
markdown: markdown,
allowHTMLBLockScript: (editor.element.querySelector("#allowHTMLBLockScript") as HTMLInputElement).checked,
justify: (editor.element.querySelector("#justify") as HTMLInputElement).checked,
rtl: (editor.element.querySelector("#rtl") as HTMLInputElement).checked,
readOnly: (editor.element.querySelector("#readOnly") as HTMLInputElement).checked,