Security fixes and Plugin Guidelines compliance - v1.3.1

inattendu · inattendu · commit 7ebc07ff8d52 · 2025-10-27T13:53:10.000+01:00
CRITICAL FIXES: - Add escapeHtml() to prevent XSS attacks from user content - Escape all user input in innerHTML (file names, note content) - Remove detachLeavesOfType() from onunload() per Obsidian guidelines CHANGES: - Version bump to 1.3.1 - Security hardening for user-generated content display - Improved resource management during plugin unload Complies with Obsidian Plugin Guidelines: https://docs.obsidian.md/Plugins/Releasing/Plugin+guidelines
diff --git a/main.js b/main.js
@@ -847,15 +847,19 @@ var DashReaderView = class extends import_obsidian.ItemView {
       </div>
     `;
   }
+  escapeHtml(text) {
+    return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+  }
   processWord(word) {
     const cleanWord = word.trim();
     const center = Math.max(Math.floor(cleanWord.length / 2) - 1, 0);
     let result = "";
     for (let i = 0; i < cleanWord.length; i++) {
+      const escapedChar = this.escapeHtml(cleanWord[i]);
       if (i === center) {
-        result += `<span class="dashreader-highlight" style="color: ${this.settings.highlightColor}">${cleanWord[i]}</span>`;
+        result += `<span class="dashreader-highlight" style="color: ${this.settings.highlightColor}">${escapedChar}</span>`;
       } else {
-        result += cleanWord[i];
+        result += escapedChar;
       }
     }
     return result;
@@ -925,8 +929,10 @@ var DashReaderView = class extends import_obsidian.ItemView {
     this.wordEl.innerHTML = "";
     let sourceInfo = "";
     if (source == null ? void 0 : source.fileName) {
+      const escapedFileName = this.escapeHtml(source.fileName);
+      const lineInfo = source.lineNumber ? ` (line ${source.lineNumber})` : "";
       sourceInfo = `<div style="font-size: 14px; opacity: 0.6; margin-bottom: 8px;">
-        \u{1F4C4} ${source.fileName}${source.lineNumber ? ` (line ${source.lineNumber})` : ""}
+        \u{1F4C4} ${escapedFileName}${lineInfo}
       </div>`;
     }
     const totalWords = this.engine.getTotalWords();
@@ -1205,7 +1211,6 @@ var DashReaderPlugin = class extends import_obsidian3.Plugin {
   }
   onunload() {
     console.log("Unloading DashReader plugin");
-    this.app.workspace.detachLeavesOfType(VIEW_TYPE_DASHREADER);
   }
   async loadSettings() {
     this.settings = Object.assign({}, DEFAULT_SETTINGS, await this.loadData());
diff --git a/main.ts b/main.ts
@@ -120,7 +120,7 @@ export default class DashReaderPlugin extends Plugin {
 
   onunload() {
     console.log('Unloading DashReader plugin');
-    this.app.workspace.detachLeavesOfType(VIEW_TYPE_DASHREADER);
+    // Don't detach leaves here - let Obsidian restore them at original positions during updates
   }
 
   async loadSettings() {
diff --git a/manifest.json b/manifest.json
@@ -1,7 +1,7 @@
 {
   "id": "dashreader",
   "name": "DashReader",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "minAppVersion": "0.15.0",
   "description": "Speed reading with RSVP (Rapid Serial Visual Presentation) - Read faster, understand better",
   "author": "inattendu",
diff --git a/src/rsvp-view.ts b/src/rsvp-view.ts
@@ -673,17 +673,29 @@ export class DashReaderView extends ItemView {
     `;
   }
 
+  private escapeHtml(text: string): string {
+    // Escape HTML characters to prevent XSS attacks
+    return text.replace(/&/g, '&amp;')
+               .replace(/</g, '&lt;')
+               .replace(/>/g, '&gt;')
+               .replace(/"/g, '&quot;')
+               .replace(/'/g, '&#039;');
+  }
+
   private processWord(word: string): string {
     // Trouver le centre du mot pour le highlighter
     const cleanWord = word.trim();
     const center = Math.max(Math.floor(cleanWord.length / 2) - 1, 0);
 
     let result = '';
     for (let i = 0; i < cleanWord.length; i++) {
+      // Escape each character to prevent XSS from user notes
+      const escapedChar = this.escapeHtml(cleanWord[i]);
+
       if (i === center) {
-        result += `<span class="dashreader-highlight" style="color: ${this.settings.highlightColor}">${cleanWord[i]}</span>`;
+        result += `<span class="dashreader-highlight" style="color: ${this.settings.highlightColor}">${escapedChar}</span>`;
       } else {
-        result += cleanWord[i];
+        result += escapedChar;
       }
     }
 
@@ -777,8 +789,11 @@ export class DashReaderView extends ItemView {
     // Préparer le message avec le nom du document et ligne
     let sourceInfo = '';
     if (source?.fileName) {
+      // Escape filename to prevent XSS if user has malicious filename
+      const escapedFileName = this.escapeHtml(source.fileName);
+      const lineInfo = source.lineNumber ? ` (line ${source.lineNumber})` : '';
       sourceInfo = `<div style="font-size: 14px; opacity: 0.6; margin-bottom: 8px;">
-        📄 ${source.fileName}${source.lineNumber ? ` (line ${source.lineNumber})` : ''}
+        📄 ${escapedFileName}${lineInfo}
       </div>`;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ export default class DashReaderPlugin extends Plugin {`
`120`	`120`
`121`	`121`	`onunload() {`
`122`	`122`	`console.log('Unloading DashReader plugin');`
`123`		`- this.app.workspace.detachLeavesOfType(VIEW_TYPE_DASHREADER);`
	`123`	`+ // Don't detach leaves here - let Obsidian restore them at original positions during updates`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`async loadSettings() {`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"id": "dashreader",`
`3`	`3`	`"name": "DashReader",`
`4`		`- "version": "1.3.0",`
	`4`	`+ "version": "1.3.1",`
`5`	`5`	`"minAppVersion": "0.15.0",`
`6`	`6`	`"description": "Speed reading with RSVP (Rapid Serial Visual Presentation) - Read faster, understand better",`
`7`	`7`	`"author": "inattendu",`