* Revert "Sanitize field content in editor"
This reverts commit 1c156905f8.
* Use CSP to block inline JS content in editor
This blocks inline scripts, scripts in the media folder, and
handlers like onclick in the editor. This is nicer than the previous
solution - it doesn't make any permanent changes, and leaves other
content like SVGs alone. Thanks to Nil Admirari for the suggestion.
* Sanitize field content in editor
The editor already strips script tags from fields, but was allowing
through Javascript in things like onclick handlers. We block this now,
as the editor context has access to internal APIs that we don't want to
expose to untrusted third-party code.
* Require an auth token for API access
We were previously inspecting the referrer, but that is spoofable,
and doesn't guard against other processes on the machine.
To accomplish this, we use a request interceptor to automatically
add an auth token to webviews with the right context. Some related
changes were required:
- We avoid storing _page, which was leading to leaks & warning on exit
- At webview creation (or set_kind() invocation), we assign either
an authenticated or unauthenticated web profile.
- Some of our screens initialize the AnkiWebView when calling, e.g.,
aqt.forms.stats.Ui_Dialog(). They then immediately call .set_kind().
This reveals a race condition in our DOM handling code: the webview
initialization creates an empty page with the injected script, which
causes a domDone signal to be sent back. This signal arrives after
we've created another page with .set_kind(), causing our code to think
the DOM is ready when it's not. Then when we try to inject the dynamic
styling, we get an error, as the DOM is not ready yet. In the absence
of better solutions, I've added a hack to set_kind() to deal with this
for now.
* Provide AnkiWebPage init defaults for existing add-on callers
* Inject bridge script when profile set-up skipped
Some add-ons fully override AnkiWebPage.__init__ and thus depend on _setupBridge injecting the JS bridge script.
With this change we account for these cases, while giving add-ons the opportunity to look for solutions that do not require overriding AnkiWebPage.__init__ completely.
* Add some missed pages/endpoints (thanks to iamllama)
* Avoid sending API key for remote resources
Thanks to Abdo for the report
---------
Co-authored-by: Aristotelis P <201596065+aps-amboss@users.noreply.github.com>
* fix discard changes randomly being a noop on certain linux systems
* use QApplication.setActiveWindow instead
* revert current impl
* wait for the next event loop iter before calling activeWindow
* NF: Modify CONTRIBUTORS
Just so that I stop getting the warning
* NF: Create `deckOptionsReady`
* NF: rename _close to require_close
The method will have to be used outside of this class, so can't be private
* NF: simplify slightly some code
* NF: remove bridge command from deck options
* Remove unused import
* Remove superfluous comment with a typo
* add get_revlogs API
* fix tooltipText of ReviewsGraph
the style of true-retention shouldn't affect the style of tooltipText of ReviewsGraph
* More verbose wording (dae)
* test using existed cards
* plot new and review
* convert learning cards & use line chart
* allow draw multiple simulations in the same chart
* support hide simulation
* convert x axis to Date
* convert y from second to minute
* support clear last simulation
* remove unused import
* rename
* add hover/tooltip
* fallback to default parameters
* update default value and maximum of deckSize
* add "processing..."
* fix mistake
This resulted in the I/O regression in #3223 not being caught with ./run,
and puts devs ast risk. It also does not currently seem to be required
(pages like graphs and deck options work correctly with ./yarn dev).
I suspect the change was made to support running of pages/*.html, which
we no longer build.
* Update to latest Node LTS
* Add sveltekit
* Split tslib into separate @generated and @tslib components
SvelteKit's path aliases don't support multiple locations, so our old
approach of using @tslib to refer to both ts/lib and out/ts/lib will no
longer work. Instead, all generated sources and their includes are
placed in a separate out/ts/generated folder, and imported via @generated
instead. This also allows us to generate .ts files, instead of needing
to output separate .d.ts and .js files.
* Switch package.json to module type
* Avoid usage of baseUrl
Incompatible with SvelteKit
* Move sass into ts; use relative links
SvelteKit's default sass support doesn't allow overriding loadPaths
* jest->vitest, graphs example working with yarn dev
* most pages working in dev mode
* Some fixes after rebasing
* Fix/silence some svelte-check errors
* Get image-occlusion working with Fabric types
* Post-rebase lock changes
* Editor is now checked
* SvelteKit build integrated into ninja
* Use the new SvelteKit entrypoint for pages like congrats/deck options/etc
* Run eslint once for ts/**; fix some tests
* Fix a bunch of issues introduced when rebasing over latest main
* Run eslint fix
* Fix remaining eslint+pylint issues; tests now all pass
* Fix some issues with a clean build
* Latest bufbuild no longer requires @__PURE__ hack
* Add a few missed dependencies
* Add yarn.bat to fix Windows build
* Fix pages failing to show when ANKI_API_PORT not defined
* Fix svelte-check and vitest on Windows
* Set node path in ./yarn
* Move svelte-kit output to ts/.svelte-kit
Sadly, I couldn't figure out a way to store it in out/ if out/ is
a symlink, as it breaks module resolution when SvelteKit is run.
* Allow HMR inside Anki
* Skip SvelteKit build when HMR is defined
* Fix some post-rebase issues
I should have done a normal merge instead.
* adds log module
* enable logging in the app
* adds a getLogger method to AddonManager
* change log level depending on ANKIDEV
* fix undefined module variable
* - fix addons log file path
- remove a breakpoint leftover
set the addons log files under pm.addonFolder()/NNNNNN/user_files/logs/NNNNNN.log
* fix path bug
* move log closing handling into AddonManager deleteAddon/backupUserFiles methods
* logging module level import
fix undefined variable in backupUserFiles
* pretty format log records
* move MediaServer log into logging
* update CONTRIBUTORS
* documentation cleanup
* capture warnings into log messages
fix waitress verbosity
* remove record_factory function
* add get_logger method alias to getLogger in AddonManager
switch to TimedRotatingFileHandler handler
fix minor typo
* set main log level to DEBUG if ANKIDEV is not 0 (or unset)
added two new methods to AddonManager addon_get_logger/addon_toggle_log_level
* add new find_logger_output to AddonManager
* move logs under pm.base
* change log output
* update addonmanager getlogger
* Format imports
* Refactor logging set-up slightly and tweak docstring
* Remove obsolete log closing statements
As logs are no longer stored in user_files, we do not need to close their handlers
* Refactor and try to simplify log module
* Remove demo code
* Refactor and update add-on manager logging API
* Simplify writing unit tests for add-ons that use logging
Loggers are likely to be also employed in non UI code, so it seems like a good idea to decouple them from requiring a running Anki instance to work (thus freeing add-on authors from the need to mock Anki APIs in their tests).
* Fix arguments and drop obsolete inline instructions
Lets add a section on logging to the add-on docs instead
* Drop unnecessary import
* Supply logging basicConfig force option by default
Until we change the module import order and thus ensure that `log` is always evaluated before third-party dependencies have a chance to initialize the root logger, `force` is non-optional.
* Fix formatting and type errors
* Restore mediasrv type ignore comments
* Add note on prefix API stability
* Consistently use addon_from_module in new code
* Use logFolder rather than profileFolder
* Adjust method name for PEP8
* Change loggerDict access path, satisfying pylint
* Drop unused import and use lazy % formatting
* lint fix
* refactor .log_folder -> .addon_logs
store anki.log under logdir
* Fix method name (dae)
* Disable file-based logging in the backend (dae)
I have never found this useful, and it logs nothing by default, so
creating/opening the file is a waste. Removing it also ensures that
addon_logs() is solely used for add-ons.
---------
Co-authored-by: Glutanimate <5459332+glutanimate@users.noreply.github.com>
* Replace css_browser_selector
* Add classes to root element instead of body
* Export addBrowserClasses() in reviewer_extras for mobile clients (dae)
* Avoid setting .mac on iOS devices (dae)
- Allow custom study methods in reviewer to prevent errors
- Ensure we 'fail closed' if referer header has been removed
- Ensure we ignore opaque POST requests from other origins
Thanks again to Daniel for the feedback.
