🎨 Do not execute scripts in HTML blocks by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/11172

2024-04-27 23:01:31 +08:00 · 2024-04-27 23:01:31 +08:00 · 34caeb5871
commit 34caeb5871
parent 239a1434e1
10 changed files with 39 additions and 2 deletions
--- a/app/appearance/langs/en_US.json
+++ b/app/appearance/langs/en_US.json
@ -1,4 +1,6 @@
 {
+  "allowHTMLBLockScript": "Allow execution of scripts within HTML blocks",
+  "allowHTMLBLockScriptTip": "After enabling, the script in the HTML block will not be sanitized, Please be aware of the potential risk of XSS attacks",
  "autoLaunchMode0": "Do not launch automatically",
  "autoLaunchMode1": "Auto launch after booting",
  "autoLaunchMode2": "Auto launch and minimize the main interface after booting",
--- a/app/appearance/langs/es_ES.json
+++ b/app/appearance/langs/es_ES.json
@ -1,4 +1,6 @@
 {
+  "allowHTMLBLockScript": "Permitir la ejecución de scripts dentro de bloques HTML",
+  "allowHTMLBLockScriptTip": "Después de habilitarlo, el script en el bloque HTML no se desinfectará. Tenga en cuenta el riesgo potencial de ataques XSS",
  "autoLaunchMode0": "No iniciar automáticamente",
  "autoLaunchMode1": "Inicio automático después del arranque",
  "autoLaunchMode2": "Iniciar automáticamente y minimizar la interfaz principal después del arranque",
--- a/app/appearance/langs/fr_FR.json
+++ b/app/appearance/langs/fr_FR.json
@ -1,4 +1,6 @@
 {
+  "allowHTMLBLockScript": "Autoriser l'exécution de scripts dans les blocs HTML",
+  "allowHTMLBLockScriptTip": "Après activation, le script dans le bloc HTML ne sera pas nettoyé. Veuillez être conscient du risque potentiel d'attaques XSS",
  "autoLaunchMode0": "Ne pas lancer automatiquement",
  "autoLaunchMode1": "Lancement automatique après le démarrage",
  "autoLaunchMode2": "Lancement automatique et minimisation de l'interface principale après le démarrage",
--- a/app/appearance/langs/zh_CHT.json
+++ b/app/appearance/langs/zh_CHT.json
@ -1,4 +1,6 @@
 {
+  "allowHTMLBLockScript": "允許執行 HTML 區塊內腳本",
+  "allowHTMLBLockScriptTip": "啟用後將不對 HTML 區塊中的程式碼進行安全過濾，請注意潛在的 XSS 攻擊風險",
  "autoLaunchMode0": "不自動啟動",
  "autoLaunchMode1": "開機自動啟動",
  "autoLaunchMode2": "開機後自動啟動並最小化主介面",
--- a/app/appearance/langs/zh_CN.json
+++ b/app/appearance/langs/zh_CN.json
@ -1,4 +1,6 @@
 {
+  "allowHTMLBLockScript": "允许执行 HTML 块内脚本",
+  "allowHTMLBLockScriptTip": "启用后将不对 HTML 块中的代码进行安全过滤，请注意潜在的 XSS 攻击风险",
  "autoLaunchMode0": "不自动启动",
  "autoLaunchMode1": "开机后自动启动",
  "autoLaunchMode2": "开机后自动启动并最小化主界面",
--- a/app/src/config/editor.ts
+++ b/app/src/config/editor.ts
@ -267,6 +267,14 @@ export const editor = {
        <textarea class="b3-text-field fn__block" id="katexMacros" spellcheck="false">${window.siyuan.config.editor.katexMacros}</textarea>
    </div>
 </div>
+<label class="fn__flex b3-label">
+    <div class="fn__flex-1">
+        ${window.siyuan.languages.allowHTMLBLockScript}
+        <div class="b3-label__text">${window.siyuan.languages.allowHTMLBLockScriptTip}</div>
+    </div>
+    <span class="fn__space"></span>
+    <input class="b3-switch fn__flex-center" id="allowHTMLBLockScript" type="checkbox"${window.siyuan.config.editor.allowHTMLBLockScript ? " checked" : ""}/>
+</label>
 <label class="fn__flex b3-label">
    <div class="fn__flex-1">
        ${window.siyuan.languages.editorMarkdownInlineSup}
@ -338,6 +346,7 @@ export const editor = {
            fetchPost("/api/setting/setEditor", {
                fullWidth: (editor.element.querySelector("#fullWidth") as HTMLInputElement).checked,
                markdown: markdown,
+                allowHTMLBLockScript: (editor.element.querySelector("#allowHTMLBLockScript") as HTMLInputElement).checked,
                justify: (editor.element.querySelector("#justify") as HTMLInputElement).checked,
                rtl: (editor.element.querySelector("#rtl") as HTMLInputElement).checked,
                readOnly: (editor.element.querySelector("#readOnly") as HTMLInputElement).checked,
--- a/app/src/config/search.ts
+++ b/app/src/config/search.ts
@ -22,7 +22,9 @@ export const initConfigSearch = (element: HTMLElement, app: App) => {
            "outdent", "floatWindowMode", "floatWindowModeTip", "justify", "justifyTip", "rtl", "rtlTip", "spellcheck",
            "spellcheckTip", "backlinkExpand", "backlinkExpandTip", "onlySearchForDoc", "onlySearchForDocTip",
            "dynamicLoadBlocks", "dynamicLoadBlocksTip", "fontSizeScrollZoom", "fontSizeScrollZoomTip",
-            "listItemDotNumberClickFocus", "listItemDotNumberClickFocusTip"
+            "listItemDotNumberClickFocus", "listItemDotNumberClickFocusTip", "editorMarkdownInlineSup", "editorMarkdownInlineSupTip",
+            "editorMarkdownInlineSub", "editorMarkdownInlineSubTip", "editorMarkdownInlineTag", "editorMarkdownInlineTagTip",
+            "editorMarkdownInlineMath", "editorMarkdownInlineMathTip", "allowHTMLBLockScript", "allowHTMLBLockScriptTip",
        ]),

        // 文档树
--- a/app/src/types/config.d.ts
+++ b/app/src/types/config.d.ts
@ -306,6 +306,11 @@ declare namespace Config {
     */
    export interface IEditor {

+        /**
+         * Whether to allow to execute javascript in the HTML block
+         */
+        allowHTMLBLockScript: boolean;
+
        /**
         * Markdown configuration
         */
--- a/app/stage/protyle/js/protyle-html.js
+++ b/app/stage/protyle/js/protyle-html.js
--- a/kernel/conf/editor.go
+++ b/kernel/conf/editor.go
@ -19,6 +19,7 @@ package conf
 import "github.com/siyuan-note/siyuan/kernel/util"

 type Editor struct {
+	AllowHTMLBLockScript            bool           `json:"allowHTMLBLockScript"`            // 允许执行 HTML 块内脚本
 	FontSize                        int            `json:"fontSize"`                        // 字体大小
 	FontSizeScrollZoom              bool           `json:"fontSizeScrollZoom"`              // 字体大小是否支持滚轮缩放
 	FontFamily                      string         `json:"fontFamily"`                      // 字体