* Revert "Sanitize field content in editor"
This reverts commit 1c156905f8.
* Use CSP to block inline JS content in editor
This blocks inline scripts, scripts in the media folder, and
handlers like onclick in the editor. This is nicer than the previous
solution - it doesn't make any permanent changes, and leaves other
content like SVGs alone. Thanks to Nil Admirari for the suggestion.
* add AnkiWebView subclasses for stats, empty cards and find dupes ui
* update ui files to use subclassed webviews instead
* remove superfluous calls to AnkiWebView.set_kind
* Avoid set_kind() race condition in legacy stats webview
Replacing the web view is a hacky workaround, but likely a reasonable compromise for a legacy view that we do not want to maintain a separate Qt form for.
* Slightly refactor AnkiWebView subclass creation and tweak inline comment
+ Extend create_ankiwebview_subclass() with the ability to set any
init time AnkiWebView argument
+ Introduce some nice-to-haves in terms of static type checking support
and IDE autocompletion
+ Mark helper function as private to discourage add-on use
* Drop `AnkiWebView.set_kind` completely
There no longer is an Anki-internal use case for changing the web view kind after initializing a web view, and add-ons almost certainly do not have any use for it either.
Given that setting the kind after web view construction can lead to known race conditions with `domDone` signals, we should remove this method to discourage uses like this in both Anki code and add-on consumers.
There currenty only seems to be one add-on calling `set_kind()`, so this seem like a justifiable API change.
---------
Co-authored-by: llama <100429699+iamllama@users.noreply.github.com>
* add AnkiWebView subclasses for stats, empty cards and find dupes ui
* update ui files to use subclassed webviews instead
* remove superfluous calls to AnkiWebView.set_kind
* revert impl
* set page background colour after setPage in AnkiWebView.set_kind
* Sanitize field content in editor
The editor already strips script tags from fields, but was allowing
through Javascript in things like onclick handlers. We block this now,
as the editor context has access to internal APIs that we don't want to
expose to untrusted third-party code.
* Require an auth token for API access
We were previously inspecting the referrer, but that is spoofable,
and doesn't guard against other processes on the machine.
To accomplish this, we use a request interceptor to automatically
add an auth token to webviews with the right context. Some related
changes were required:
- We avoid storing _page, which was leading to leaks & warning on exit
- At webview creation (or set_kind() invocation), we assign either
an authenticated or unauthenticated web profile.
- Some of our screens initialize the AnkiWebView when calling, e.g.,
aqt.forms.stats.Ui_Dialog(). They then immediately call .set_kind().
This reveals a race condition in our DOM handling code: the webview
initialization creates an empty page with the injected script, which
causes a domDone signal to be sent back. This signal arrives after
we've created another page with .set_kind(), causing our code to think
the DOM is ready when it's not. Then when we try to inject the dynamic
styling, we get an error, as the DOM is not ready yet. In the absence
of better solutions, I've added a hack to set_kind() to deal with this
for now.
* Provide AnkiWebPage init defaults for existing add-on callers
* Inject bridge script when profile set-up skipped
Some add-ons fully override AnkiWebPage.__init__ and thus depend on _setupBridge injecting the JS bridge script.
With this change we account for these cases, while giving add-ons the opportunity to look for solutions that do not require overriding AnkiWebPage.__init__ completely.
* Add some missed pages/endpoints (thanks to iamllama)
* Avoid sending API key for remote resources
Thanks to Abdo for the report
---------
Co-authored-by: Aristotelis P <201596065+aps-amboss@users.noreply.github.com>
* add min-height to fields
* 30px → 1.5em
This works with different font sizes too. Now there are no size jumps between empty field / field with string / field with empty html.
* Add checkbox
* Working in editor
* Toolbar webview
* Other webviews
* Even more webviews
* Move to profile settings
* Add to contributors [skip ci]
* Fix checks
* Fix checks
* Better?
* Remove unneded
* Remove checkbox and a few other things
* How the hell did that happen
* Undo FTL changes (dae)
* Remove superfluous config entry (dae)
* Add comment about profile keys (dae)
* fix: correct typo and adjust indentation in docstring
Fixed a small typo in the webview_did_inject_style_into_page docstring and adjusted indentation for consistency.
* Update CONTRIBUTORS
* replace use of deprecated createClassComponent with mount
* bump esbuild-svelte from 0.8.1 to 0.9.2
* mathjax-element.ts -> mathjax-element.svelte.ts
* move caret after tick
* Improve natural unit conversion for a time b/w 360 to 365 days
Previously, 363 days would be converted to 12.1 months, which is quite confusing because
- a user would think that if the value is more than 12 months, why it isn't displayed in years
- the value is actually less than a year, which is counterintuitive as 12.1 m suggests a value more than a year.
* precise
* Update time.ts to match timespan.rs
* Add another test
* Use average duration of a month instead
* Update time.ts
* Update test_schedv3.py
* Update time.test.ts
* Display median interval in Stats instead of mean
Median is better suited than mean for reporting skewed data.
* Display median ease in Stats instead of mean
* Update difficulty.ts
* Update ease.ts
* Update statistics.ftl
* Format eases.rs
* Remove unused import
* Change Median back to Average in UI
* Revert "Change Median back to Average in UI"
This reverts commit e0c1e3f8e4.
* Preserve the old translations for now (dae)
This commit explains how to calls a method implemented in a language
from a different language.
This explains how to declare the RPCs, how to call them and how to
implement them. This is based on examples of code at main at the time
of writting. I used permalink to ensure that the links remains
relevant even if the specific examples change later.
The last section is about the special case of calling TypeScript from
Python, which does not use RPC but is still relevant in a bridge
document.
This commit also add a paragraph explaining what protobuf is in the
protobuf documentation, so that new contributors who don't know what
protobuf is can understand why we use it.
* modify render_card to return whether card was empty
* plumbing
* add flag to proto message
* plumbing: pass flag along to PartiallyRenderedCard
* add tests
* Use a custom return type for clarity (dae)
* Move the solution to the Rust layer
* CONTRIBUTORS fix (1)
* CONTRIBUTORS fix (2)
* Fix CI issues
* Simplify reparenting solution
* Fix reparenting message with tags
* Revert "Fix reparenting message with tags"
This reverts commit 199958c1c5.
* tags: Return None in reparented_name when the name is unchanged
* Return a copy of note type in ModelManager.get()
* Update tests
* Revert "Return a copy of note type in ModelManager.get()"
This reverts commit 04ef186336.
* Add note to .get()
* add qsv-sniffer crate
* use qsv-sniffer before falling back to old delimiter heuristic
* update test metadata macro
* revert impl
* trim potential suffixed delimiters from non-freeform meta lines
* add test
* Show "and others" at the end of the contributor list in the about dialog
* Make about addendum translatable
* Fix CONTRIBUTORS
* Fix CONTRIBUTORS
* Update ftl/qt/about.ftl (dae)
* Remove unused import
* Nit-pick on code comment
* Enable View Page/Config buttons only when 1 add-on selected
* Enable Cmd+W shortcut (on Mac only) to close Add-ons dialog
* Feat/grade now
* pass ci
* fix from_queue
* Refactor card answering to support from_queue flag
- Add `from_queue` field to `CardAnswer` struct and proto message
- Modify `answer_card_inner` to handle queue updates based on `from_queue`
- Remove `grade_card` method and consolidate card answering logic
- Update related test cases to set `from_queue` flag
* fix current_changes() called when no op set
* Optimize queue updates for batch card processing
- Refactor `grade_now` to collect processed card IDs first
- Add new `update_queues_for_processed_cards` method for efficient batch queue updates
- Improve queue management by removing entries and updating counts in a single pass
- Remove individual queue update method in favor of batch processing
* pass ci
* keep the same style
* remove ineffective code
* remove unused imports
