Mirrors/notesnook
1
0
Fork 0
mirror of https://github.com/streetwriters/notesnook.git synced 2026-02-24 20:20:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
13,047 Commits 458 Branches 353 Tags
fix-shared-image-name
Commit Graph

3209 Commits

Author SHA1 Message Date
Abdullah Atta
7cdb13def6 Merge pull request #7588 from streetwriters/fix/tighten-iframe-security 
This fixes a potential security vulnerability where pasting unknown content into the editor could create an RCE risk.

This PR fixes two issues:

1. Potential RCE when pasting/inserting an `iframe` containing a `javascript` link.
2. Potential RCE when pasting/inserting an `svg` containing JavaScript (why do SVGs allow JS in the first place?).

Mitigations include disallowing all execution of JS inside an SVG by rendering it in a sandboxed `iframe`. While we cannot disallow JS execution in embeds (that would break all embeds like YouTube videos), we have disallowed access to the parent window to all `iframe`s, again, by using a sandboxed `iframe` and by disallowing embedding of `javascript:` links.

To be clear, both of these issues can only be triggered when pasting/importing untrusted content (which you shouldn't be doing anyway).

**These cannot be used to steal or access your notes or any other data. They could be used to access what's shown in the window or do automated clicks etc. but since everything is stored and access from an encrypted SQLite database, your data would be 100% safe and isolated from such an attack.**
 2025-02-14 09:50:43 +05:00
Abdullah Atta
2ab58f9203 editor: use sandboxed iframe to render SVGs 2025-02-14 09:31:06 +05:00
Abdullah Atta
df74448e17 editor: disallow embedding javascript code in iframes 2025-02-13 20:27:21 +05:00
Yash Kumar
1d3650659f editor: select language by pressing enter (#7484) 
Signed-off-by: Yash Kumar <kyash03@student.ubc.ca>
 2025-02-13 10:12:37 +05:00
Ammar Ahmed
d9c592c7fb common: always remove the last session from history (#7555) 2025-02-11 13:31:39 +05:00
Ammar Ahmed
b7334c09d4 Merge branch 'master' into fix-tabs-mobile 
Signed-off-by: Ammar Ahmed <40239442+ammarahm-ed@users.noreply.github.com>
 2025-02-11 13:11:55 +05:00
Ammar Ahmed
840c7fda5e mobile: fix loading placeholder 2025-02-11 12:17:45 +05:00
Ammar Ahmed
4ce24ac8fd mobile: do not show sheet in uncaught errors in editor 2025-02-11 12:17:11 +05:00
luis-411
43356e5b6a core: escape special characters in SQL search query (#7418) 
Signed-off-by: Luis Kriner <luis@kriner.info>
 2025-02-11 11:00:51 +05:00
Ammar Ahmed
5dd298ee86 mobile: fix unlocking note with biometrics 2025-02-04 17:36:32 +05:00
Ammar Ahmed
3bd7da68be mobile: fix crash on app launch with new tabs 2025-02-04 12:32:30 +05:00
luis-411
66d75492bb editor: fix task list stats 0/0 on app reload (#7327) 
Signed-off-by: Luis Kriner <luis@kriner.info>
 2025-02-04 10:04:16 +05:00
Ammar Ahmed
7df1037e3f mobile: fix realtime sync editor updates in tabs 2025-02-03 15:38:32 +05:00
01zulfi
eb5ae0773b editor: fix hover styling in toolbar color buttons 
Signed-off-by: 01zulfi <85733202+01zulfi@users.noreply.github.com>
 2025-02-03 12:36:06 +05:00
Abdullah Atta
3f1761a540 core: fix empty note cannot be exported 2025-02-03 12:17:57 +05:00
Abdullah Atta
a25d21038a core: fix Object is not iterable error on some platforms 
This happened due to [Symbol.asyncIterable] not getting
transformed when it was a method of a class. Moving it inside
another method fixes the issue.
 2025-02-03 12:17:57 +05:00
Abdullah Atta
0cc9c31bc3 editor: fix Failed to execute 'collapse' on 'Selection' 2025-02-01 15:14:34 +05:00
Ammar Ahmed
821b8eebaa mobile: fix tab issues 2025-02-01 13:47:27 +05:00
Ammar Ahmed
3b86e51c49 mobile: fix commands 2025-01-31 15:17:45 +05:00
Ammar Ahmed
329c2e220f mobile: fix tabs 2025-01-31 15:15:48 +05:00
Abdullah Atta
140e343289 common: allow using custom session id in tab session history 2025-01-31 15:15:48 +05:00
Ammar Ahmed
46583e12d9 mobile: update tabs 2025-01-31 15:15:48 +05:00
Abdullah Atta
1e6e940f17 common: string tab ids, get rid of currentTab taking tab id as a parameter 2025-01-31 15:15:48 +05:00
Ammar Ahmed
9ab670d933 mobile: fix deps 2025-01-31 15:15:48 +05:00
Ammar Ahmed
83557401f5 mobile: update tabs 2025-01-31 15:15:48 +05:00
Ammar Ahmed
5eb09a1d3e mobile: cleanup 2025-01-31 15:15:48 +05:00
Ammar Ahmed
d957be7a7b mobile: fix editor header ui 2025-01-31 15:15:48 +05:00
Ammar Ahmed
44ddb49d0e editor: fix imports 2025-01-31 15:15:48 +05:00
Ammar Ahmed
24fcd5cd0c common: fix missing exports 2025-01-31 15:15:48 +05:00
Ammar Ahmed
2a34225d49 global: update deps 2025-01-31 15:15:48 +05:00
Ammar Ahmed
e81c825fc7 mobile: multi-tab support 2025-01-31 15:15:48 +05:00
Ammar Ahmed
c80286b587 mobile: tab history 2025-01-31 15:15:48 +05:00
luis-411
e85f8b60b0 editor: add field labels to add a link popup (#7097) 
Signed-off-by: Luis Kriner <luis@kriner.info>
 2025-01-31 10:11:59 +05:00
01zulfi
073bb576b5 editor: fix search not resetting when closed (#7415) 
Signed-off-by: 01zulfi <85733202+01zulfi@users.noreply.github.com>
 2025-01-29 11:23:26 +05:00
Abdullah Atta
eaeac130df Revert "intl: update lockfile" 
This reverts commit 95a20b3740.
 2025-01-29 10:22:18 +05:00
Abdullah Atta
4f9fe9b1e0 Revert "intl: update lockfile" 
This reverts commit f657380ec7.
 2025-01-28 14:49:12 +05:00
Abdullah Atta
f657380ec7 intl: update lockfile 2025-01-28 14:20:41 +05:00
Abdullah Atta
12b51ed72a intl: update lockfiles 2025-01-28 13:04:19 +05:00
Abdullah Atta
95a20b3740 intl: update lockfile 2025-01-28 11:25:38 +05:00
Abdullah Atta
6f5a7a4923 global: use same version for @lingui deps everywhere 2025-01-28 10:45:04 +05:00
Ammar Ahmed
1b4d98ac0e mobile: fix strings not rendering correctly in editor 2025-01-22 15:23:56 +05:00
Ammar Ahmed
ef2ed2bba0 mobile: show toast when changing some settings 2025-01-22 14:03:52 +05:00
Ammar Ahmed
abf4612977 core: fix esm imports 2025-01-21 14:32:48 +05:00
01zulfi
e1006ed501 core: add nowz and timestampz formats (#7270) 
Signed-off-by: 01zulfi <85733202+01zulfi@users.noreply.github.com>
 2025-01-21 13:17:08 +05:00
Ammar Ahmed
7d034f7f16 mobile: fix build errors 2025-01-21 13:01:40 +05:00
Ammar Ahmed
698866f53d mobile: release v3.0.27 2025-01-21 12:31:37 +05:00
Abdullah Atta
2be35fadff editor: fix tests 2025-01-21 10:14:42 +05:00
Abdullah Atta
5fe366f4f3 global: use same versions for dependencies everywhere (#7365) 
* global: use same versions for dependencies everywhere

* intl: fix `Cannot find module '@lingui/macro'`

* web: fix `I18n' is not assignable to parameter` type error

* setup: log post install cmd

* setup: more logging

* web: update lockfile
 2025-01-21 09:35:38 +05:00
Ammar Ahmed
a13cbadd44 feat: new widgets on android (#7311) 
- Added a new widget on android that allows you to put a note on your home screen.
- Added a new widget on android that allows you to see upcoming reminders on home screen
- Fixed new note widget freezing
 2025-01-20 17:17:01 +05:00
luis-411
3add56cfe4 global: fix search strings (#7302) 
Signed-off-by: Luis Kriner <luis@kriner.info>
 2025-01-20 11:47:48 +05:00