mirror of
https://github.com/ankitects/anki.git
synced 2025-09-18 14:02:21 -04:00
Anki is a smart spaced repetition flashcard program
1a68c9f5d5
* Sanitize field content in editor The editor already strips script tags from fields, but was allowing through Javascript in things like onclick handlers. We block this now, as the editor context has access to internal APIs that we don't want to expose to untrusted third-party code. * Require an auth token for API access We were previously inspecting the referrer, but that is spoofable, and doesn't guard against other processes on the machine. To accomplish this, we use a request interceptor to automatically add an auth token to webviews with the right context. Some related changes were required: - We avoid storing _page, which was leading to leaks & warning on exit - At webview creation (or set_kind() invocation), we assign either an authenticated or unauthenticated web profile. - Some of our screens initialize the AnkiWebView when calling, e.g., aqt.forms.stats.Ui_Dialog(). They then immediately call .set_kind(). This reveals a race condition in our DOM handling code: the webview initialization creates an empty page with the injected script, which causes a domDone signal to be sent back. This signal arrives after we've created another page with .set_kind(), causing our code to think the DOM is ready when it's not. Then when we try to inject the dynamic styling, we get an error, as the DOM is not ready yet. In the absence of better solutions, I've added a hack to set_kind() to deal with this for now. * Provide AnkiWebPage init defaults for existing add-on callers * Inject bridge script when profile set-up skipped Some add-ons fully override AnkiWebPage.__init__ and thus depend on _setupBridge injecting the JS bridge script. With this change we account for these cases, while giving add-ons the opportunity to look for solutions that do not require overriding AnkiWebPage.__init__ completely. * Add some missed pages/endpoints (thanks to iamllama) * Avoid sending API key for remote resources Thanks to Abdo for the report --------- Co-authored-by: Aristotelis P <201596065+aps-amboss@users.noreply.github.com> |
||
|---|---|---|
| .buildkite | ||
| .cargo | ||
| .config | ||
| .github/ISSUE_TEMPLATE | ||
| .vscode.dist | ||
| build | ||
| cargo | ||
| docs | ||
| ftl | ||
| proto | ||
| pylib | ||
| python | ||
| qt | ||
| rslib | ||
| tools | ||
| ts | ||
| .deny.toml | ||
| .dockerignore | ||
| .dprint.json | ||
| .eslintrc.cjs | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmodules | ||
| .isort.cfg | ||
| .mypy.ini | ||
| .prettierrc | ||
| .pylintrc | ||
| .ruff.toml | ||
| .rustfmt-empty.toml | ||
| .rustfmt.toml | ||
| .version | ||
| .yarnrc.yml | ||
| Cargo.lock | ||
| Cargo.toml | ||
| check | ||
| CONTRIBUTORS | ||
| LICENSE | ||
| ninja | ||
| package.json | ||
| pkgkey.asc | ||
| pyproject.toml | ||
| README.md | ||
| run | ||
| run.bat | ||
| rust-toolchain.toml | ||
| SECURITY.md | ||
| yarn | ||
| yarn.bat | ||
| yarn.lock | ||
Anki
This repo contains the source code for the computer version of Anki.
About
Anki is a spaced repetition program. Please see the website to learn more.
Getting Started
Anki Betas
If you'd like to try development builds of Anki but don't feel comfortable building the code, please see Anki betas
Developing
For more information on building and developing, please see Development.
Contributing
Want to contribute to Anki? Check out the Contribution Guidelines.
Anki Contributors
License
Anki's license: LICENSE