mirror of
https://github.com/siyuan-note/siyuan.git
synced 2025-12-23 18:10:12 +01:00
This commit is contained in:
Vanessa
parent
30b0f69dff
commit
e04c8ff0b9
2 changed files with 47 additions and 45 deletions
|
|
@ -995,7 +995,7 @@ export class Toolbar {
|
||||||
/// #endif
|
/// #endif
|
||||||
const textElement = this.subElement.querySelector(".b3-text-field") as HTMLTextAreaElement;
|
const textElement = this.subElement.querySelector(".b3-text-field") as HTMLTextAreaElement;
|
||||||
if (types.includes("NodeHTMLBlock")) {
|
if (types.includes("NodeHTMLBlock")) {
|
||||||
textElement.value = renderElement.querySelector("protyle-html").getAttribute("data-content") || "";
|
textElement.value = Lute.UnEscapeHTMLStr(renderElement.querySelector("protyle-html").getAttribute("data-content") || "");
|
||||||
} else if (isInlineMemo) {
|
} else if (isInlineMemo) {
|
||||||
textElement.value = Lute.UnEscapeHTMLStr(renderElement.getAttribute("data-inline-memo-content") || "");
|
textElement.value = Lute.UnEscapeHTMLStr(renderElement.getAttribute("data-inline-memo-content") || "");
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
90
app/stage/protyle/js/protyle-html.js
vendored
90
app/stage/protyle/js/protyle-html.js
vendored
|
|
@ -3,51 +3,53 @@
|
||||||
//# sourceMappingURL=purify.min.js.map
|
//# sourceMappingURL=purify.min.js.map
|
||||||
|
|
||||||
class ProtyleHtml extends HTMLElement {
|
class ProtyleHtml extends HTMLElement {
|
||||||
constructor () {
|
constructor() {
|
||||||
super()
|
super()
|
||||||
const shadowRoot = this.attachShadow({mode: 'open'})
|
const shadowRoot = this.attachShadow({mode: 'open'})
|
||||||
this.display = this.shadowRoot
|
this.display = this.shadowRoot
|
||||||
const dataContent = this.getAttribute('data-content')
|
// https://github.com/siyuan-note/siyuan/issues/11321
|
||||||
this.display.innerHTML = dataContent
|
this.setAttribute('data-content', Lute.EscapeHTMLStr(this.getAttribute('data-content')))
|
||||||
}
|
const dataContent = this.getAttribute('data-content')
|
||||||
|
this.display.innerHTML = dataContent
|
||||||
static get observedAttributes () {
|
}
|
||||||
return ['data-content']
|
|
||||||
}
|
static get observedAttributes() {
|
||||||
|
return ['data-content']
|
||||||
attributeChangedCallback (name, oldValue, newValue) {
|
}
|
||||||
if (name === 'data-content') {
|
|
||||||
let dataContent = Lute.UnEscapeHTMLStr(this.getAttribute('data-content'))
|
attributeChangedCallback(name, oldValue, newValue) {
|
||||||
|
if (name === 'data-content') {
|
||||||
if (!window.siyuan.config.editor.allowHTMLBLockScript) {
|
let dataContent = Lute.UnEscapeHTMLStr(this.getAttribute('data-content'))
|
||||||
// Do not execute scripts in HTML blocks by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/11172
|
|
||||||
dataContent = DOMPurify.sanitize(dataContent);
|
if (!window.siyuan.config.editor.allowHTMLBLockScript) {
|
||||||
}
|
// Do not execute scripts in HTML blocks by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/11172
|
||||||
|
dataContent = DOMPurify.sanitize(dataContent);
|
||||||
this.display.innerHTML = dataContent
|
}
|
||||||
|
|
||||||
const el = document.createElement('div')
|
this.display.innerHTML = dataContent
|
||||||
el.innerHTML = dataContent
|
|
||||||
const scripts = el.getElementsByTagName('script')
|
const el = document.createElement('div')
|
||||||
let fatalHTML = ''
|
el.innerHTML = dataContent
|
||||||
for (const script of scripts) {
|
const scripts = el.getElementsByTagName('script')
|
||||||
if (script.textContent.indexOf('document.write') > -1) {
|
let fatalHTML = ''
|
||||||
fatalHTML += `<div style="color:var(--b3-theme-error);font-size: 12px">${window.siyuan.languages.htmlBlockError}</div>
|
for (const script of scripts) {
|
||||||
<textarea style="width: 100%;box-sizing: border-box;height: 120px"><script>${script.textContent}</script></textarea>`
|
if (script.textContent.indexOf('document.write') > -1) {
|
||||||
} else {
|
fatalHTML += `<div style="color:var(--b3-theme-error);font-size: 12px">${window.siyuan.languages.htmlBlockError}</div>
|
||||||
const s = document.createElement('script')
|
<textarea style="width: 100%;box-sizing: border-box;height: 120px"><script>${script.textContent}</script></textarea>`
|
||||||
for (const attr of script.attributes) {
|
} else {
|
||||||
s.setAttribute(attr.name, attr.value);
|
const s = document.createElement('script')
|
||||||
}
|
for (const attr of script.attributes) {
|
||||||
s.textContent = script.textContent
|
s.setAttribute(attr.name, attr.value);
|
||||||
this.display.appendChild(s)
|
}
|
||||||
}
|
s.textContent = script.textContent
|
||||||
}
|
this.display.appendChild(s)
|
||||||
if (fatalHTML) {
|
}
|
||||||
this.display.innerHTML += fatalHTML
|
}
|
||||||
}
|
if (fatalHTML) {
|
||||||
|
this.display.innerHTML += fatalHTML
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
customElements.define('protyle-html', ProtyleHtml)
|
customElements.define('protyle-html', ProtyleHtml)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue