Desktop: Rich Text Editor: Disallow inline event handlers #12106
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/TinyMCE.tsx
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Note: Plugin asset files were regenerated due to changes to mermaid_render.js.
Comment on lines
-101
to
-102
| // Clicking on export button manually triggers a right click context menu event | ||
| const onClickHandler = ` |
There was a problem hiding this comment.
This onClick handler was converted from an inline event handler to an event handler added by a script.
Comment on lines
+402
to
+403
| const allRules = { ...rules, ...this.extraRendererRules_ }; | ||
| for (const key in allRules) { |
There was a problem hiding this comment.
This change (along with a few other modifications) add support for loading plugin-specified assets in the Rich Text Editor. This allows migrating inline event handlers to JavaScript files that aren't blocked by the content security policy. Plugin-specified assets were previously only supported in the Markdown viewer.
and media-src separately [This paper](https://dl.acm.org/doi/pdf/10.1145/2976749.2978363) suggests setting object-src to 'none'.
|
|
||
| // Disallow certain unused features | ||
| 'child-src \'none\'', // Should not contain sub-frames | ||
| 'object-src \'none\'', // Objects can be used for script injection |
There was a problem hiding this comment.
Based on suggestions in https://dl.acm.org/doi/pdf/10.1145/2976749.2978363
packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/TinyMCE.tsx
Outdated
Show resolved
Hide resolved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This pull request enables the TinyMCE content_security_policy option, selecting a policy that:
onclick="...",onmouseenter="...").Goal: Make the Rich Text Editor more secure.
Important
This pull request may break certain plugins in the Rich Text Editor. For example, versions of the Freehand Drawing plugin before v3.0.0 don't support the Rich Text Editor with this change.
To allow plugins to continue to run scripts in the Rich Text Editor, this pull request also adds support for loading plugin assets registered by Joplin plugins in the Rich Text Editor (similar to the existing logic for the Markdown viewer). Previously, assets (e.g. CSS) specified by plugins were not loaded in the Rich Text Editor.
What does this break?
Certain plugins rely on inline event handlers in the Rich Text Editor. These include
Testing
I have verified that: