feat(editor): admin-only raw HTML/CSS/JS embed node

Adds an htmlEmbed block node that renders and executes raw HTML/CSS/JS in the
wiki origin (e.g. an analytics tracker) — the owner-chosen variant C. Because
this is stored-XSS by design, only workspace admins/owners may get such a node
persisted; everyone executes it when reading.

- Node (editor-ext): htmlEmbed atom/isolating block; source stored base64 in
  data-source for lossless HTML<->JSON round-trip. renderHTML emits only the
  encoded marker (never inlines raw markup), so generateHTML/export/search are
  not themselves injection vectors. Registered in BOTH client extensions and
  server tiptapExtensions. Markdown round-trip via an <!--html-embed:b64-->
  comment (turndown) + a marked rule.
- Client NodeView: injects source and re-creates <script> elements so they
  actually run; edit modal; renders in read-only/share too. Slash item is
  admin-gated (adminOnly filtered by the user's workspace role).
- SERVER ENFORCEMENT (the real control — UI gating alone is insufficient):
  stripHtmlEmbedNodes() removes htmlEmbed from any document persisted by a
  non-admin, applied at every write path that introduces content from an
  untrusted author: collab onStoreDocument, REST/MCP/AI updatePageContent,
  single-file import, zip/multi-file import, page duplication, and transclusion
  unsync. Page restore introduces no new content. Public share/readonly viewers
  render fetched (already-stripped) content and do NOT open a collab socket, so
  the only residual is a transient broadcast window to concurrent authenticated
  editors (documented).

Implements docs/arbitrary-html-embed-plan.md (variant C).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

apps/server/src/collaboration/collaboration.handler.ts

@@ -8,6 +8,11 @@ import {
 import { setYjsMark, updateYjsMarkAttribute, YjsSelection } from './yjs.util';
 import * as Y from 'yjs';
 import { User } from '@docmost/db/types/entity.types';
+import {
+  canAuthorHtmlEmbed,
+  hasHtmlEmbedNode,
+  stripHtmlEmbedNodes,
+} from '../common/helpers/prosemirror/html-embed.util';
 
 export type CollabEventHandlers = ReturnType<
   CollaborationHandler['getHandlers']
@@ -83,8 +88,25 @@ export class CollaborationHandler {
           user: User;
         },
       ) => {
-        const { prosemirrorJson, operation, user } = payload;
+        const { operation, user } = payload;
+        let { prosemirrorJson } = payload;
         this.logger.debug('Updating page content via yjs', documentName);
+
+        // SECURITY (Variant C admin gate, REST/MCP/AI write path):
+        // updatePageContent is the server-side entrypoint used by the REST page
+        // update endpoint and by the MCP/AI agent. Raw `htmlEmbed` nodes execute
+        // arbitrary JS in every reader's browser, so a NON-admin caller must not
+        // be able to persist them here. If the editing user is not a workspace
+        // admin/owner, strip every htmlEmbed node before it reaches the ydoc.
+        if (!canAuthorHtmlEmbed(user?.role)) {
+          if (hasHtmlEmbedNode(prosemirrorJson)) {
+            this.logger.warn(
+              `Stripping htmlEmbed node(s) from non-admin update by user ${user?.id} on ${documentName}`,
+            );
+            prosemirrorJson = stripHtmlEmbedNodes(prosemirrorJson);
+          }
+        }
+
         await this.withYdocConnection(
           hocuspocus,
           documentName,

apps/server/src/collaboration/collaboration.util.ts

@@ -32,6 +32,7 @@ import {
   Drawio,
   Excalidraw,
   Embed,
+  HtmlEmbed,
   Mention,
   Subpages,
   Highlight,
@@ -102,6 +103,10 @@ export const tiptapExtensions = [
   Drawio,
   Excalidraw,
   Embed,
+  // Registered server-side so the node survives schema parsing/serialization.
+  // Authoring is gated to admins at the document WRITE paths (see
+  // stripHtmlEmbedNodes usage in persistence/page services), NOT here.
+  HtmlEmbed,
   Mention,
   Subpages,
   Columns,

apps/server/src/collaboration/extensions/persistence.extension.ts

@@ -39,6 +39,11 @@ import {
   HISTORY_INTERVAL,
 } from '../constants';
 import { TransclusionService } from '../../core/page/transclusion/transclusion.service';
+import {
+  canAuthorHtmlEmbed,
+  hasHtmlEmbedNode,
+  stripHtmlEmbedNodes,
+} from '../../common/helpers/prosemirror/html-embed.util';
 
 @Injectable()
 export class PersistenceExtension implements Extension {
@@ -112,7 +117,56 @@ export class PersistenceExtension implements Extension {
 
     const pageId = getPageId(documentName);
 
-    const tiptapJson = TiptapTransformer.fromYdoc(document, 'default');
+    let tiptapJson = TiptapTransformer.fromYdoc(document, 'default');
+
+    // SECURITY (Variant C admin gate, collab WebSocket write path):
+    // The persisted snapshot is the merged ydoc, which may contain an htmlEmbed
+    // node inserted by ANY connected editor. htmlEmbed renders raw, unsanitized
+    // JS in every reader's browser, so only workspace admins/owners may author
+    // it. When the user whose store triggers this persist is not an admin, strip
+    // every htmlEmbed node before it is written to the page row AND before the
+    // ydoc state is re-encoded, so the node cannot be reintroduced by a
+    // non-admin via the collab socket.
+    // NOTE (residual risk): the gate is keyed to the storing connection's user.
+    // If an admin already authored an htmlEmbed and a non-admin's later store
+    // does not touch it, this strip would remove the admin's embed on that
+    // non-admin store. This is intentionally conservative (fail closed): the
+    // admin re-adds/keeps the node on their own next edit. A future refinement
+    // could diff against the previously persisted admin-authored embeds.
+    //
+    // ACCEPTED RESIDUAL RISK (pre-persist broadcast window): this strip runs in
+    // the debounced onStoreDocument, but hocuspocus broadcasts each inbound Yjs
+    // update to connected clients immediately, so a non-admin's transient
+    // htmlEmbed can execute in OTHER open editors' browsers in the brief window
+    // before this persist strips it. The exposure is limited to concurrent
+    // AUTHENTICATED space members who have the doc open with Edit rights
+    // (semi-trusted) — anonymous public-share/readonly viewers do NOT open a
+    // collab socket (ReadonlyPageEditor renders fetched, already-stripped
+    // content; HocuspocusProvider is only used by the authenticated editable
+    // page-editor), and the PERSISTED page row plus every share/readonly read
+    // path are protected by this strip. The window is therefore accepted rather
+    // than mitigated with an inbound beforeBroadcast strip.
+    if (!canAuthorHtmlEmbed(context?.user?.role)) {
+      if (hasHtmlEmbedNode(tiptapJson)) {
+        this.logger.warn(
+          `Stripping htmlEmbed node(s) from non-admin collab store by user ${context?.user?.id} on ${documentName}`,
+        );
+        tiptapJson = stripHtmlEmbedNodes(tiptapJson);
+        // Reflect the stripped content back into the shared ydoc so the node is
+        // removed for all connected clients, not just the persisted row.
+        const fragment = document.getXmlFragment('default');
+        if (fragment.length > 0) {
+          fragment.delete(0, fragment.length);
+        }
+        const cleanDoc = TiptapTransformer.toYdoc(
+          tiptapJson,
+          'default',
+          tiptapExtensions,
+        );
+        Y.applyUpdate(document, Y.encodeStateAsUpdate(cleanDoc));
+      }
+    }
+
     const ydocState = Buffer.from(Y.encodeStateAsUpdate(document));
 
     let textContent = null;