~ mitigate some potential XSS attacks (references #70)

manifest.json

@@ -1,7 +1,7 @@
 {
 	"id": "rss-reader",
 	"name": "RSS Reader",
-	"version": "1.0.2",
+	"version": "1.0.3",
 	"minAppVersion": "0.12.17",
 	"description": "Read RSS Feeds from within obsidian",
 	"author": "Johannes Theiner",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "rss-reader",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "Read RSS Feeds from inside obsidian",
   "main": "main.js",
   "scripts": {

src/functions.ts

@@ -15,7 +15,7 @@ export async function createNewNote(plugin: RssReaderPlugin, item: RssFeedItem)
         dir = plugin.settings.saveLocationFolder;
     }
 
-    let filename = applyTemplate(item, plugin.settings.defaultFilename, plugin.settings);
+    let filename = applyTemplate(plugin, item, plugin.settings.defaultFilename);
     //make sure there are no slashes in the title.
     filename = filename.replace(/[\/\\:]/g, ' ');
 
@@ -52,7 +52,7 @@ async function createNewFile(plugin: RssReaderPlugin, item: RssFeedItem, path: s
         return;
     }
 
-    const appliedTemplate = applyTemplate(item, plugin.settings.template, plugin.settings, title);
+    const appliedTemplate = applyTemplate(plugin, item, plugin.settings.template, title);
 
     const file = await plugin.app.vault.create(path, appliedTemplate);
 
@@ -78,7 +78,7 @@ export async function pasteToNote(plugin: RssReaderPlugin, item: RssFeedItem) :
 
     const view = plugin.app.workspace.getActiveViewOfType(MarkdownView);
     if (view) {
-        const appliedTemplate = applyTemplate(item, plugin.settings.pasteTemplate, plugin.settings);
+        const appliedTemplate = applyTemplate(plugin, item, plugin.settings.pasteTemplate);
 
         const editor = view.editor;
         editor.replaceRange(appliedTemplate, editor.getCursor());
@@ -93,13 +93,13 @@ export async function pasteToNote(plugin: RssReaderPlugin, item: RssFeedItem) :
     }
 }
 
-function applyTemplate(item: RssFeedItem, template: string, settings: RssReaderSettings, filename?: string) : string {
+function applyTemplate(plugin: RssReaderPlugin, item: RssFeedItem, template: string, filename?: string) : string {
     let result = template.replace(/{{title}}/g, item.title);
     result = result.replace(/{{link}}/g, item.link);
     result = result.replace(/{{author}}/g, item.creator);
-    result = result.replace(/{{published}}/g, moment(item.pubDate).format(settings.dateFormat));
-    result = result.replace(/{{created}}/g, moment().format(settings.dateFormat));
-    result = result.replace(/{{date}}/g, moment().format(settings.dateFormat));
+    result = result.replace(/{{published}}/g, moment(item.pubDate).format(plugin.settings.dateFormat));
+    result = result.replace(/{{created}}/g, moment().format(plugin.settings.dateFormat));
+    result = result.replace(/{{date}}/g, moment().format(plugin.settings.dateFormat));
     result = result.replace(/{{feed}}/g, item.feed);
     result = result.replace(/{{folder}}/g, item.folder);
     result = result.replace(/{{description}}/g, item.description);
@@ -136,23 +136,23 @@ function applyTemplate(item: RssFeedItem, template: string, settings: RssReaderS
 
     result = result.replace(/{{highlights}}/g, item.highlights.map(value => {
         //remove all - from the start of a highlight
-        return "- " + htmlToMarkdown(removeFormatting(value).replace(/^(-+)/, ""))
+        return "- " + rssToMd(plugin, removeFormatting(value).replace(/^(-+)/, ""))
     }).join("\n"));
 
     result = result.replace(/({{highlights:)[\s\S][^}]*(}})/g, function (k) {
         const value = k.split(/(:[\s\S]?)/);
         const tmp = value.slice(1).join("");
         const template = tmp.substring(1, tmp.indexOf("}"));
         return item.highlights.map(i => {
-            return template.replace(/%%highlight%%/g, htmlToMarkdown(removeFormatting(i)).replace(/^(-+)/, ""));
+            return template.replace(/%%highlight%%/g, rssToMd(plugin, removeFormatting(i)).replace(/^(-+)/, ""));
         }).join("");
     });
 
     if(filename) {
         result = result.replace(/{{filename}}/g, filename);
     }
 
-    let content = htmlToMarkdown(item.content);
+    let content = rssToMd(plugin, item.content);
 
 
     item.highlights.forEach(highlight => {
@@ -201,3 +201,19 @@ export function openInBrowser(item: RssFeedItem) : void {
         window.open(item.link, '_blank');
     }
 }
+
+export function rssToMd(plugin: RssReaderPlugin, content: string) {
+    let markdown = htmlToMarkdown(content);
+
+    //wrap dataview codeblocks to mitigate possible XSS
+    markdown = markdown.replace(/^```(?:dataview|dataviewjs)\n([\s\S]*?)```$/gm, "<pre>$&</pre>");
+
+    //wrap dataview inline code(only the default settings)
+    markdown = markdown.replace(/`=.*`/g, "<pre>$&</pre>")
+    markdown = markdown.replace(/`\$=.*`/g, "<pre>$&</pre>")
+
+    //wrap templater commands
+    markdown = markdown.replace(/<%([\s\S]*?)%>/g, "```javascript\n$&\n```");
+
+    return markdown;
+}

src/modals/ItemModal.ts

@@ -10,6 +10,7 @@ import RssReaderPlugin from "../main";
 import Action from "../actions/Action";
 import t from "../l10n/locale";
 import {copy} from "obsidian-community-lib";
+import {rssToMd} from "../functions";
 
 export class ItemModal extends Modal {
 
@@ -274,7 +275,10 @@ export class ItemModal extends Modal {
         }
 
         if (this.item.content) {
-            await MarkdownRenderer.renderMarkdown(htmlToMarkdown(this.item.content), content, "", this.plugin);
+            //prepend empty yaml to fix rendering errors
+            const markdown = "---\n----" + rssToMd(this.plugin, this.item.content);
+
+            await MarkdownRenderer.renderMarkdown(markdown, content, "", this.plugin);
 
             this.item.highlights.forEach(highlight => {
                 if (content.innerHTML.includes(highlight)) {

versions.json

@@ -21,5 +21,6 @@
 	"0.9.3": "0.12.17",
 	"1.0.0": "0.12.17",
 	"1.0.1": "0.12.17",
-	"1.0.2": "0.12.17"
+	"1.0.2": "0.12.17",
+	"1.0.3": "0.12.17"
 }