🐛 https://github.com/siyuan-note/siyuan/issues/11321

2024-05-11 17:05:56 +08:00 · 2024-05-11 17:05:56 +08:00 · e04c8ff0b9
commit e04c8ff0b9
parent 30b0f69dff
2 changed files with 47 additions and 45 deletions
--- a/app/src/protyle/toolbar/index.ts
+++ b/app/src/protyle/toolbar/index.ts
@ -995,7 +995,7 @@ export class Toolbar {
        /// #endif
        const textElement = this.subElement.querySelector(".b3-text-field") as HTMLTextAreaElement;
        if (types.includes("NodeHTMLBlock")) {
-            textElement.value = renderElement.querySelector("protyle-html").getAttribute("data-content") || "";
+            textElement.value = Lute.UnEscapeHTMLStr(renderElement.querySelector("protyle-html").getAttribute("data-content") || "");
        } else if (isInlineMemo) {
            textElement.value = Lute.UnEscapeHTMLStr(renderElement.getAttribute("data-inline-memo-content") || "");
        } else {
--- a/app/stage/protyle/js/protyle-html.js
+++ b/app/stage/protyle/js/protyle-html.js
@ -3,51 +3,53 @@
 //# sourceMappingURL=purify.min.js.map

 class ProtyleHtml extends HTMLElement {
-  constructor () {
-    super()
-    const shadowRoot = this.attachShadow({mode: 'open'})
-    this.display = this.shadowRoot
-    const dataContent = this.getAttribute('data-content')
-    this.display.innerHTML = dataContent
-  }
-
-  static get observedAttributes () {
-    return ['data-content']
-  }
-
-  attributeChangedCallback (name, oldValue, newValue) {
-    if (name === 'data-content') {
-      let dataContent = Lute.UnEscapeHTMLStr(this.getAttribute('data-content'))
-
-      if (!window.siyuan.config.editor.allowHTMLBLockScript) {
-        // Do not execute scripts in HTML blocks by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/11172
-        dataContent = DOMPurify.sanitize(dataContent);
-      }
-
-      this.display.innerHTML = dataContent
-
-      const el = document.createElement('div')
-      el.innerHTML = dataContent
-      const scripts = el.getElementsByTagName('script')
-      let fatalHTML = ''
-      for (const script of scripts) {
-        if (script.textContent.indexOf('document.write') > -1) {
-          fatalHTML += `<div style="color:var(--b3-theme-error);font-size: 12px">${window.siyuan.languages.htmlBlockError}</div>
-<textarea style="width: 100%;box-sizing: border-box;height: 120px"><script>${script.textContent}</script></textarea>`
-        } else {
-          const s = document.createElement('script')
-          for (const attr of script.attributes) {
-            s.setAttribute(attr.name, attr.value);
-          }
-          s.textContent = script.textContent
-          this.display.appendChild(s)
-        }
-      }
-      if (fatalHTML) {
-        this.display.innerHTML += fatalHTML
-      }
+    constructor() {
+        super()
+        const shadowRoot = this.attachShadow({mode: 'open'})
+        this.display = this.shadowRoot
+        // https://github.com/siyuan-note/siyuan/issues/11321
+        this.setAttribute('data-content', Lute.EscapeHTMLStr(this.getAttribute('data-content')))
+        const dataContent = this.getAttribute('data-content')
+        this.display.innerHTML = dataContent
+    }
+
+    static get observedAttributes() {
+        return ['data-content']
+    }
+
+    attributeChangedCallback(name, oldValue, newValue) {
+        if (name === 'data-content') {
+            let dataContent = Lute.UnEscapeHTMLStr(this.getAttribute('data-content'))
+
+            if (!window.siyuan.config.editor.allowHTMLBLockScript) {
+                // Do not execute scripts in HTML blocks by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/11172
+                dataContent = DOMPurify.sanitize(dataContent);
+            }
+
+            this.display.innerHTML = dataContent
+
+            const el = document.createElement('div')
+            el.innerHTML = dataContent
+            const scripts = el.getElementsByTagName('script')
+            let fatalHTML = ''
+            for (const script of scripts) {
+                if (script.textContent.indexOf('document.write') > -1) {
+                    fatalHTML += `<div style="color:var(--b3-theme-error);font-size: 12px">${window.siyuan.languages.htmlBlockError}</div>
+<textarea style="width: 100%;box-sizing: border-box;height: 120px"><script>${script.textContent}</script></textarea>`
+                } else {
+                    const s = document.createElement('script')
+                    for (const attr of script.attributes) {
+                        s.setAttribute(attr.name, attr.value);
+                    }
+                    s.textContent = script.textContent
+                    this.display.appendChild(s)
+                }
+            }
+            if (fatalHTML) {
+                this.display.innerHTML += fatalHTML
+            }
+        }
    }
-  }
 }

 customElements.define('protyle-html', ProtyleHtml)