Anki/qt at 1a68c9f5d5bcc197b641fe7405e5d9a4823928f3 - GitHub/Anki - OBJNULLs Forgejo: Beyond coding. We Forge.

GitHub/Anki

mirror of https://github.com/ankitects/anki.git synced 2025-09-18 14:02:21 -04:00

History

Damien Elmes 1a68c9f5d5 Harden access to internal API (#3925 ) * Sanitize field content in editor The editor already strips script tags from fields, but was allowing through Javascript in things like onclick handlers. We block this now, as the editor context has access to internal APIs that we don't want to expose to untrusted third-party code. * Require an auth token for API access We were previously inspecting the referrer, but that is spoofable, and doesn't guard against other processes on the machine. To accomplish this, we use a request interceptor to automatically add an auth token to webviews with the right context. Some related changes were required: - We avoid storing _page, which was leading to leaks & warning on exit - At webview creation (or set_kind() invocation), we assign either an authenticated or unauthenticated web profile. - Some of our screens initialize the AnkiWebView when calling, e.g., aqt.forms.stats.Ui_Dialog(). They then immediately call .set_kind(). This reveals a race condition in our DOM handling code: the webview initialization creates an empty page with the injected script, which causes a domDone signal to be sent back. This signal arrives after we've created another page with .set_kind(), causing our code to think the DOM is ready when it's not. Then when we try to inject the dynamic styling, we get an error, as the DOM is not ready yet. In the absence of better solutions, I've added a hack to set_kind() to deal with this for now. * Provide AnkiWebPage init defaults for existing add-on callers * Inject bridge script when profile set-up skipped Some add-ons fully override AnkiWebPage.__init__ and thus depend on _setupBridge injecting the JS bridge script. With this change we account for these cases, while giving add-ons the opportunity to look for solutions that do not require overriding AnkiWebPage.__init__ completely. * Add some missed pages/endpoints (thanks to iamllama) * Avoid sending API key for remote resources Thanks to Abdo for the report --------- Co-authored-by: Aristotelis P <201596065+aps-amboss@users.noreply.github.com>		2025-04-17 11:15:10 +10:00
..
aqt	Harden access to internal API (#3925 )	2025-04-17 11:15:10 +10:00
bundle	Update uninstall.sh to give feedback to the user (#3834 )	2025-02-26 10:24:52 +03:00
icons	move remaining Filter button items into sidebar	2021-02-05 18:58:22 +10:00
mac	Ensure ankihelper is rebuilt on arch change	2024-04-03 15:07:50 +07:00
tests	Change Anki's version scheme; bump to 23.09 (#2640 )	2023-09-07 12:37:15 +10:00
tools	Fix: correct typo and adjust indentation in docstring (#3920 )	2025-04-13 17:00:19 +10:00
.isort.cfg	Specify Python version for auto-formatters (#3325 )	2024-08-04 20:54:14 +07:00
README.md	minor doc updates	2020-12-11 22:37:12 +10:00
runanki.py	get PyQt working directly with ./run on macOS	2021-10-16 18:07:29 +10:00

README.md

Python's Qt GUI is in aqt/