html sanitize imported notes, #1137

2025-11-18 03:00:41 +01:00 · 2020-06-30 23:37:06 +02:00
parent 51f094f87f
commit 5e18e7dc67
12 changed files with 512 additions and 4056 deletions
--- a/src/services/import/enex.js
+++ b/src/services/import/enex.js
@@ -7,6 +7,7 @@ const sql = require("../sql");
 const noteService = require("../notes");
 const imageService = require("../image");
 const protectedSessionService = require('../protected_session');
+const htmlSanitizer = require("../html_sanitizer");

 // date format is e.g. 20181121T193703Z
 function parseDate(text) {
@@ -71,6 +72,8 @@ function importEnex(taskContext, file, parentNote) {
        content = content.replace(/<\/ol>\s+<\/ol>/g, "</ol></li></ol>");
        content = content.replace(/<\/ol>\s+<li>/g, "</ol></li><li>");

+        content = htmlSanitizer.sanitize(content);
+
        return content;
    }

@@ -295,6 +298,8 @@ function importEnex(taskContext, file, parentNote) {
            }
        }

+        content = htmlSanitizer.sanitize(content);
+
        // save updated content with links to files/images
        noteEntity.setContent(content);

--- a/src/services/import/opml.js
+++ b/src/services/import/opml.js
@@ -3,6 +3,7 @@
 const noteService = require('../../services/notes');
 const parseString = require('xml2js').parseString;
 const protectedSessionService = require('../protected_session');
+const htmlSanitizer = require('../html_sanitizer');

 /**
 * @param {TaskContext} taskContext
@@ -44,6 +45,8 @@ function importOpml(taskContext, fileBuffer, parentNote) {
            throw new Error("Unrecognized OPML version " + opmlVersion);
        }

+        content = htmlSanitizer.sanitize(content);
+
        const {note} = noteService.createNewNote({
            parentNoteId,
            title,
--- a/src/services/import/single.js
+++ b/src/services/import/single.js
@@ -6,6 +6,7 @@ const protectedSessionService = require('../protected_session');
 const commonmark = require('commonmark');
 const mimeService = require('./mime');
 const utils = require('../../services/utils');
+const htmlSanitizer = require('../html_sanitizer');

 function importSingleFile(taskContext, file, parentNote) {
    const mime = mimeService.getMime(file.originalname) || file.mimetype;
@@ -122,7 +123,9 @@ function importMarkdown(taskContext, file, parentNote) {
    const writer = new commonmark.HtmlRenderer();

    const parsed = reader.parse(markdownContent);
-    const htmlContent = writer.render(parsed);
+    let htmlContent = writer.render(parsed);
+
+    htmlContent = htmlSanitizer.sanitize(htmlContent);

    const title = utils.getNoteTitle(file.originalname, taskContext.data.replaceUnderscoresWithSpaces);

@@ -142,7 +145,9 @@ function importMarkdown(taskContext, file, parentNote) {

 function importHtml(taskContext, file, parentNote) {
    const title = utils.getNoteTitle(file.originalname, taskContext.data.replaceUnderscoresWithSpaces);
-    const content = file.buffer.toString("UTF-8");
+    let content = file.buffer.toString("UTF-8");
+
+    content = htmlSanitizer.sanitize(content);

    const {note} = noteService.createNewNote({
        parentNoteId: parentNote.noteId,
--- a/src/services/import/tar.js
+++ b/src/services/import/tar.js
@@ -16,6 +16,7 @@ const protectedSessionService = require('../protected_session');
 const mimeService = require("./mime");
 const sql = require("../sql");
 const treeService = require("../tree");
+const htmlSanitizer = require("../html_sanitizer");

 /**
 * @param {TaskContext} taskContext
@@ -255,6 +256,8 @@ async function importTar(taskContext, fileBuffer, importRootNote) {
                return /^(?:[a-z]+:)?\/\//i.test(url);
            }

+            content = htmlSanitizer.sanitize(content);
+
            content = content.replace(/<html.*<body[^>]*>/gis, "");
            content = content.replace(/<\/body>.*<\/html>/gis, "");

--- a/src/services/import/zip.js
+++ b/src/services/import/zip.js
@@ -14,6 +14,7 @@ const protectedSessionService = require('../protected_session');
 const mimeService = require("./mime");
 const treeService = require("../tree");
 const yauzl = require("yauzl");
+const htmlSanitizer = require('../html_sanitizer');

 /**
 * @param {TaskContext} taskContext
@@ -269,6 +270,17 @@ async function importZip(taskContext, fileBuffer, importRootNote) {
                return /^(?:[a-z]+:)?\/\//i.test(url);
            }

+            content = content.replace(/<h1>([^<]*)<\/h1>/gi, (match, text) => {
+                if (noteTitle.trim() === text.trim()) {
+                    return ""; // remove whole H1 tag
+                }
+                else {
+                    return match;
+                }
+            });
+
+            content = htmlSanitizer.sanitize(content);
+
            content = content.replace(/<html.*<body[^>]*>/gis, "");
            content = content.replace(/<\/body>.*<\/html>/gis, "");

@@ -296,15 +308,6 @@ async function importZip(taskContext, fileBuffer, importRootNote) {
                return `href="#root/${targetNoteId}"`;
            });

-            content = content.replace(/<h1>([^<]*)<\/h1>/gi, (match, text) => {
-                if (noteTitle.trim() === text.trim()) {
-                    return ""; // remove whole H1 tag
-                }
-                else {
-                    return match;
-                }
-            });
-
            if (noteMeta) {
                const includeNoteLinks = (noteMeta.attributes || [])
                    .filter(attr => attr.type === 'relation' && attr.name === 'includeNoteLink');