|
|
@@ -3,51 +3,53 @@
|
|
|
//# sourceMappingURL=purify.min.js.map
|
|
|
|
|
|
class ProtyleHtml extends HTMLElement {
|
|
|
- constructor () {
|
|
|
- super()
|
|
|
- const shadowRoot = this.attachShadow({mode: 'open'})
|
|
|
- this.display = this.shadowRoot
|
|
|
- const dataContent = this.getAttribute('data-content')
|
|
|
- this.display.innerHTML = dataContent
|
|
|
- }
|
|
|
+ constructor() {
|
|
|
+ super()
|
|
|
+ const shadowRoot = this.attachShadow({mode: 'open'})
|
|
|
+ this.display = this.shadowRoot
|
|
|
+ // https://github.com/siyuan-note/siyuan/issues/11321
|
|
|
+ this.setAttribute('data-content', Lute.EscapeHTMLStr(this.getAttribute('data-content')))
|
|
|
+ const dataContent = this.getAttribute('data-content')
|
|
|
+ this.display.innerHTML = dataContent
|
|
|
+ }
|
|
|
|
|
|
- static get observedAttributes () {
|
|
|
- return ['data-content']
|
|
|
- }
|
|
|
+ static get observedAttributes() {
|
|
|
+ return ['data-content']
|
|
|
+ }
|
|
|
|
|
|
- attributeChangedCallback (name, oldValue, newValue) {
|
|
|
- if (name === 'data-content') {
|
|
|
- let dataContent = Lute.UnEscapeHTMLStr(this.getAttribute('data-content'))
|
|
|
+ attributeChangedCallback(name, oldValue, newValue) {
|
|
|
+ if (name === 'data-content') {
|
|
|
+ let dataContent = Lute.UnEscapeHTMLStr(this.getAttribute('data-content'))
|
|
|
|
|
|
- if (!window.siyuan.config.editor.allowHTMLBLockScript) {
|
|
|
- // Do not execute scripts in HTML blocks by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/11172
|
|
|
- dataContent = DOMPurify.sanitize(dataContent);
|
|
|
- }
|
|
|
+ if (!window.siyuan.config.editor.allowHTMLBLockScript) {
|
|
|
+ // Do not execute scripts in HTML blocks by default to prevent XSS https://github.com/siyuan-note/siyuan/issues/11172
|
|
|
+ dataContent = DOMPurify.sanitize(dataContent);
|
|
|
+ }
|
|
|
|
|
|
- this.display.innerHTML = dataContent
|
|
|
+ this.display.innerHTML = dataContent
|
|
|
|
|
|
- const el = document.createElement('div')
|
|
|
- el.innerHTML = dataContent
|
|
|
- const scripts = el.getElementsByTagName('script')
|
|
|
- let fatalHTML = ''
|
|
|
- for (const script of scripts) {
|
|
|
- if (script.textContent.indexOf('document.write') > -1) {
|
|
|
- fatalHTML += `<div style="color:var(--b3-theme-error);font-size: 12px">${window.siyuan.languages.htmlBlockError}</div>
|
|
|
+ const el = document.createElement('div')
|
|
|
+ el.innerHTML = dataContent
|
|
|
+ const scripts = el.getElementsByTagName('script')
|
|
|
+ let fatalHTML = ''
|
|
|
+ for (const script of scripts) {
|
|
|
+ if (script.textContent.indexOf('document.write') > -1) {
|
|
|
+ fatalHTML += `<div style="color:var(--b3-theme-error);font-size: 12px">${window.siyuan.languages.htmlBlockError}</div>
|
|
|
<textarea style="width: 100%;box-sizing: border-box;height: 120px"><script>${script.textContent}</script></textarea>`
|
|
|
- } else {
|
|
|
- const s = document.createElement('script')
|
|
|
- for (const attr of script.attributes) {
|
|
|
- s.setAttribute(attr.name, attr.value);
|
|
|
- }
|
|
|
- s.textContent = script.textContent
|
|
|
- this.display.appendChild(s)
|
|
|
+ } else {
|
|
|
+ const s = document.createElement('script')
|
|
|
+ for (const attr of script.attributes) {
|
|
|
+ s.setAttribute(attr.name, attr.value);
|
|
|
+ }
|
|
|
+ s.textContent = script.textContent
|
|
|
+ this.display.appendChild(s)
|
|
|
+ }
|
|
|
+ }
|
|
|
+ if (fatalHTML) {
|
|
|
+ this.display.innerHTML += fatalHTML
|
|
|
+ }
|
|
|
}
|
|
|
- }
|
|
|
- if (fatalHTML) {
|
|
|
- this.display.innerHTML += fatalHTML
|
|
|
- }
|
|
|
}
|
|
|
- }
|
|
|
}
|
|
|
|
|
|
customElements.define('protyle-html', ProtyleHtml)
|
Vanessa