search

sissbruecker / linkding

Self-hosted bookmark manager that is designed be to be minimal, fast, and easy to set up using Docker.
https://linkding.link/
MIT License
6.72k stars 320 forks source link

Custom CSS Escapes Quotes and other symbols #859

Closed jakemauer closed 1 month ago

jakemauer commented 1 month ago

Linkding Version: 1.35.0 Deployment: Docker Browser: Chromium 129

I noticed today while trying out the custom CSS feature that it escapes single and double quotes in the produced CSS which breaks anything that needs quotes. In this example it's content but it can also sometimes be necessary for things like font-family etc.

Content in the Custom CSS textarea:

h1:after {
  content: 'Test String';
  display: block;
}

Content in the page HTML:


<style>h1:after {
  content: &#x27;Test String&#x27;;
  display: block;
  }</style>
sissbruecker commented 1 month ago

Indeed, the content is escaped like any other text in a template. Even though the custom CSS setting is user specific I feel there should be some form of escaping to prevent injecting HTML tags. I gave it a quick try with bleach which leaves quotes as is, but then escapes < and >.

Maybe it would be better to use a link tag to load the custom CSS through a URL instead of inlining it into a style tag. That would link to a view / route that then returns the custom CSS. That would require some work to prevent the CSS from getting cached after changing it in the settings.