Remove image HTML elements from non whitelisted sources in Obsidian chat

Given img src enforcement via CSP required loosening. Soft enforce it via a regex replace of img HTML elements if the src isn't from the whitelisted set of source prefixes. Currently allowed source prefixes are - app: for local images - data: for inline generated images - https://generated.khoj.dev: for cloud generated images
khoj-ai · Jun 18, 2024 · 86a3505 · 86a3505
1 parent c7d825b
commit 86a3505
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/interface/obsidian/src/chat_view.ts b/src/interface/obsidian/src/chat_view.ts
@@ -322,6 +322,12 @@ export class KhojChatView extends KhojPaneView {
         // @ts-ignore
         MarkdownRenderer.renderMarkdown(markdownText, virtualChatMessageBodyTextEl, '', null);
 
+        // Remove image HTML elements with any non whitelisted src prefix
+        virtualChatMessageBodyTextEl.innerHTML = virtualChatMessageBodyTextEl.innerHTML.replace(
+            /<img(?:(?!src=["'](app:|data:|https:\/\/generated\.khoj\.dev)).)*?>/gis,
+            ''
+        );
+
         // Sanitize the markdown text rendered as HTML
         return DOMPurify.sanitize(virtualChatMessageBodyTextEl.innerHTML);
     }