From 606be4304d75552a8c4d7d9e334e8e10d3dbae56 Mon Sep 17 00:00:00 2001 From: amedora <32722363+amedora@users.noreply.github.com> Date: Sat, 27 Jul 2019 12:39:12 +0900 Subject: [PATCH] Fix 3007 (#3028) * fix code fences never sanitized * fix mermaid xss * Revert "fix mermaid xss" This reverts commit 1ff179a1bde88fd20f8956871d367c7d490ec160. * configuable mermaid HTML label * add locales for mermaid configuration --- browser/components/MarkdownEditor.js | 1 + browser/components/MarkdownPreview.js | 6 ++++-- browser/components/MarkdownSplitEditor.js | 1 + browser/components/render/MermaidRender.js | 5 +++-- browser/lib/markdown-it-sanitize-html.js | 2 +- browser/main/lib/ConfigManager.js | 2 ++ browser/main/modals/PreferencesModal/UiTab.js | 11 +++++++++++ locales/da.json | 1 + locales/de.json | 1 + locales/en.json | 1 + locales/es-ES.json | 1 + locales/fa.json | 1 + locales/fr.json | 1 + locales/hu.json | 1 + locales/it.json | 1 + locales/ja.json | 1 + locales/ko.json | 1 + locales/no.json | 1 + locales/pl.json | 1 + locales/pt-BR.json | 1 + locales/pt-PT.json | 1 + locales/ru.json | 1 + locales/sq.json | 1 + locales/th.json | 1 + locales/tr.json | 1 + locales/zh-CN.json | 1 + locales/zh-TW.json | 1 + 27 files changed, 43 insertions(+), 5 deletions(-) diff --git a/browser/components/MarkdownEditor.js b/browser/components/MarkdownEditor.js index 7077c5dc..3dd57f70 100644 --- a/browser/components/MarkdownEditor.js +++ b/browser/components/MarkdownEditor.js @@ -341,6 +341,7 @@ class MarkdownEditor extends React.Component { smartArrows={config.preview.smartArrows} breaks={config.preview.breaks} sanitize={config.preview.sanitize} + mermaidHTMLLabel={config.preview.mermaidHTMLLabel} ref='preview' onContextMenu={(e) => this.handleContextMenu(e)} onDoubleClick={(e) => this.handleDoubleClick(e)} diff --git a/browser/components/MarkdownPreview.js b/browser/components/MarkdownPreview.js index ed13099f..0072e403 100755 --- a/browser/components/MarkdownPreview.js +++ b/browser/components/MarkdownPreview.js @@ -560,6 +560,7 @@ export default class MarkdownPreview extends React.Component { if ( prevProps.smartQuotes !== this.props.smartQuotes || prevProps.sanitize !== this.props.sanitize || + prevProps.mermaidHTMLLabel !== this.props.mermaidHTMLLabel || prevProps.smartArrows !== this.props.smartArrows || prevProps.breaks !== this.props.breaks || prevProps.lineThroughCheckbox !== this.props.lineThroughCheckbox @@ -681,7 +682,8 @@ export default class MarkdownPreview extends React.Component { showCopyNotification, storagePath, noteKey, - sanitize + sanitize, + mermaidHTMLLabel } = this.props let { value, codeBlockTheme } = this.props @@ -823,7 +825,7 @@ export default class MarkdownPreview extends React.Component { _.forEach( this.refs.root.contentWindow.document.querySelectorAll('.mermaid'), el => { - mermaidRender(el, htmlTextHelper.decodeEntities(el.innerHTML), theme) + mermaidRender(el, htmlTextHelper.decodeEntities(el.innerHTML), theme, mermaidHTMLLabel) } ) diff --git a/browser/components/MarkdownSplitEditor.js b/browser/components/MarkdownSplitEditor.js index af8b0e11..b283228c 100644 --- a/browser/components/MarkdownSplitEditor.js +++ b/browser/components/MarkdownSplitEditor.js @@ -199,6 +199,7 @@ class MarkdownSplitEditor extends React.Component { smartArrows={config.preview.smartArrows} breaks={config.preview.breaks} sanitize={config.preview.sanitize} + mermaidHTMLLabel={config.preview.mermaidHTMLLabel} ref='preview' tabInde='0' value={value} diff --git a/browser/components/render/MermaidRender.js b/browser/components/render/MermaidRender.js index e28e06ea..d9ea549b 100644 --- a/browser/components/render/MermaidRender.js +++ b/browser/components/render/MermaidRender.js @@ -19,7 +19,7 @@ function getId () { return id } -function render (element, content, theme) { +function render (element, content, theme, enableHTMLLabel) { try { const height = element.attributes.getNamedItem('data-height') if (height && height.value !== 'undefined') { @@ -29,7 +29,8 @@ function render (element, content, theme) { mermaidAPI.initialize({ theme: isDarkTheme ? 'dark' : 'default', themeCSS: isDarkTheme ? darkThemeStyling : '', - useMaxWidth: false + useMaxWidth: false, + flowchart: { htmlLabels: enableHTMLLabel } }) mermaidAPI.render(getId(), content, (svgGraph) => { element.innerHTML = svgGraph diff --git a/browser/lib/markdown-it-sanitize-html.js b/browser/lib/markdown-it-sanitize-html.js index 8f6d86a8..3325604a 100644 --- a/browser/lib/markdown-it-sanitize-html.js +++ b/browser/lib/markdown-it-sanitize-html.js @@ -15,7 +15,7 @@ module.exports = function sanitizePlugin (md, options) { options ) } - if (state.tokens[tokenIdx].type === '_fence') { + if (state.tokens[tokenIdx].type.match(/.*_fence$/)) { // escapeHtmlCharacters has better performance state.tokens[tokenIdx].content = escapeHtmlCharacters( state.tokens[tokenIdx].content, diff --git a/browser/main/lib/ConfigManager.js b/browser/main/lib/ConfigManager.js index e13cdbc1..b3fb65d7 100644 --- a/browser/main/lib/ConfigManager.js +++ b/browser/main/lib/ConfigManager.js @@ -86,8 +86,10 @@ export const DEFAULT_CONFIG = { breaks: true, smartArrows: false, allowCustomCSS: false, + customCSS: '/* Drop Your Custom CSS Code Here */', sanitize: 'STRICT', // 'STRICT', 'ALLOW_STYLES', 'NONE' + mermaidHTMLLabel: false, lineThroughCheckbox: true }, blog: { diff --git a/browser/main/modals/PreferencesModal/UiTab.js b/browser/main/modals/PreferencesModal/UiTab.js index cff063ff..fc09a37f 100644 --- a/browser/main/modals/PreferencesModal/UiTab.js +++ b/browser/main/modals/PreferencesModal/UiTab.js @@ -125,6 +125,7 @@ class UiTab extends React.Component { breaks: this.refs.previewBreaks.checked, smartArrows: this.refs.previewSmartArrows.checked, sanitize: this.refs.previewSanitize.value, + mermaidHTMLLabel: this.refs.previewMermaidHTMLLabel.checked, allowCustomCSS: this.refs.previewAllowCustomCSS.checked, lineThroughCheckbox: this.refs.lineThroughCheckbox.checked, customCSS: this.customCSSCM.getCodeMirror().getValue() @@ -813,6 +814,16 @@ class UiTab extends React.Component { +
+ +
{i18n.__('LaTeX Inline Open Delimiter')} diff --git a/locales/da.json b/locales/da.json index 55962cdb..38a8fbeb 100644 --- a/locales/da.json +++ b/locales/da.json @@ -157,5 +157,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/de.json b/locales/de.json index 22d0913a..cac158c5 100644 --- a/locales/de.json +++ b/locales/de.json @@ -213,5 +213,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/en.json b/locales/en.json index 0a8b8780..a10f3be9 100644 --- a/locales/en.json +++ b/locales/en.json @@ -188,5 +188,6 @@ "New notes are tagged with the filtering tags": "New notes are tagged with the filtering tags", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/es-ES.json b/locales/es-ES.json index 9f1dc19a..56945819 100644 --- a/locales/es-ES.json +++ b/locales/es-ES.json @@ -159,5 +159,6 @@ "Show menu bar": "Mostrar barra del menú", "Auto Detect": "Detección automática", "Snippet Default Language": "Lenguaje por defecto de los fragmentos de código", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/fa.json b/locales/fa.json index 311fe18d..784c4864 100644 --- a/locales/fa.json +++ b/locales/fa.json @@ -161,5 +161,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/fr.json b/locales/fr.json index 2e060ec5..698d4791 100644 --- a/locales/fr.json +++ b/locales/fr.json @@ -173,5 +173,6 @@ "Snippet prefix": "Préfixe du snippet", "Delete Note": "Supprimer la note", "New notes are tagged with the filtering tags": "Les nouvelles notes sont taggées avec les tags de filtrage", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/hu.json b/locales/hu.json index 0f6e3832..97b92212 100644 --- a/locales/hu.json +++ b/locales/hu.json @@ -181,5 +181,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/it.json b/locales/it.json index 43bc15fa..26eafff1 100644 --- a/locales/it.json +++ b/locales/it.json @@ -161,5 +161,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/ja.json b/locales/ja.json index b5722795..390386d4 100644 --- a/locales/ja.json +++ b/locales/ja.json @@ -220,5 +220,6 @@ "Spellcheck disabled": "スペルチェック無効", "Show menu bar": "メニューバーを表示", "Auto Detect": "自動検出", + "Enable HTML label in mermaid flowcharts": "mermaid flowchartでHTMLラベルを有効にする ⚠ このオプションには潜在的なXSSの危険性があります。", "Wrap line in Snippet Note": "行を右端で折り返す(Snippet Note)" } diff --git a/locales/ko.json b/locales/ko.json index d762ee15..b6bd75be 100644 --- a/locales/ko.json +++ b/locales/ko.json @@ -164,5 +164,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/no.json b/locales/no.json index 42d17dc3..fa018e86 100644 --- a/locales/no.json +++ b/locales/no.json @@ -157,5 +157,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/pl.json b/locales/pl.json index 34f053cc..c289ef23 100644 --- a/locales/pl.json +++ b/locales/pl.json @@ -166,5 +166,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/pt-BR.json b/locales/pt-BR.json index 028f9b93..0005a44e 100644 --- a/locales/pt-BR.json +++ b/locales/pt-BR.json @@ -157,5 +157,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/pt-PT.json b/locales/pt-PT.json index 739a2181..677cce4d 100644 --- a/locales/pt-PT.json +++ b/locales/pt-PT.json @@ -156,5 +156,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/ru.json b/locales/ru.json index c71f1556..990374ef 100644 --- a/locales/ru.json +++ b/locales/ru.json @@ -154,5 +154,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/sq.json b/locales/sq.json index d6104c9b..dec7402f 100644 --- a/locales/sq.json +++ b/locales/sq.json @@ -156,5 +156,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/th.json b/locales/th.json index 4637f735..1f06ceb6 100644 --- a/locales/th.json +++ b/locales/th.json @@ -183,5 +183,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/tr.json b/locales/tr.json index 45cc0cbb..78038402 100644 --- a/locales/tr.json +++ b/locales/tr.json @@ -156,5 +156,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/zh-CN.json b/locales/zh-CN.json index 8b249245..581e38d6 100644 --- a/locales/zh-CN.json +++ b/locales/zh-CN.json @@ -221,5 +221,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" } diff --git a/locales/zh-TW.json b/locales/zh-TW.json index bdea0f16..33b71699 100644 --- a/locales/zh-TW.json +++ b/locales/zh-TW.json @@ -165,5 +165,6 @@ "Spellcheck disabled": "Spellcheck disabled", "Show menu bar": "Show menu bar", "Auto Detect": "Auto Detect", + "Enable HTML label in mermaid flowcharts": "Enable HTML label in mermaid flowcharts ⚠ This option potentially has a risk of XSS.", "Wrap line in Snippet Note": "Wrap line in Snippet Note" }