feat(editor): admin-only raw HTML/CSS/JS embed node

Adds an htmlEmbed block node that renders and executes raw HTML/CSS/JS in the wiki origin (e.g. an analytics tracker) — the owner-chosen variant C. Because this is stored-XSS by design, only workspace admins/owners may get such a node persisted; everyone executes it when reading. - Node (editor-ext): htmlEmbed atom/isolating block; source stored base64 in data-source for lossless HTML<->JSON round-trip. renderHTML emits only the encoded marker (never inlines raw markup), so generateHTML/export/search are not themselves injection vectors. Registered in BOTH client extensions and server tiptapExtensions. Markdown round-trip via an  comment (turndown) + a marked rule. - Client NodeView: injects source and re-creates <script> elements so they actually run; edit modal; renders in read-only/share too. Slash item is admin-gated (adminOnly filtered by the user's workspace role). - SERVER ENFORCEMENT (the real control — UI gating alone is insufficient): stripHtmlEmbedNodes() removes htmlEmbed from any document persisted by a non-admin, applied at every write path that introduces content from an untrusted author: collab onStoreDocument, REST/MCP/AI updatePageContent, single-file import, zip/multi-file import, page duplication, and transclusion unsync. Page restore introduces no new content. Public share/readonly viewers render fetched (already-stripped) content and do NOT open a collab socket, so the only residual is a transient broadcast window to concurrent authenticated editors (documented). Implements docs/arbitrary-html-embed-plan.md (variant C). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 08:54:54 +03:00
parent c8af637654
commit bd28dbfe2b
19 changed files with 941 additions and 9 deletions
--- a/apps/server/src/collaboration/collaboration.handler.ts
+++ b/apps/server/src/collaboration/collaboration.handler.ts
@@ -8,6 +8,11 @@ import {
 import { setYjsMark, updateYjsMarkAttribute, YjsSelection } from './yjs.util';
 import * as Y from 'yjs';
 import { User } from '@docmost/db/types/entity.types';
+import {
+  canAuthorHtmlEmbed,
+  hasHtmlEmbedNode,
+  stripHtmlEmbedNodes,
+} from '../common/helpers/prosemirror/html-embed.util';

 export type CollabEventHandlers = ReturnType<
  CollaborationHandler['getHandlers']
@@ -83,8 +88,25 @@ export class CollaborationHandler {
          user: User;
        },
      ) => {
-        const { prosemirrorJson, operation, user } = payload;
+        const { operation, user } = payload;
+        let { prosemirrorJson } = payload;
        this.logger.debug('Updating page content via yjs', documentName);
+
+        // SECURITY (Variant C admin gate, REST/MCP/AI write path):
+        // updatePageContent is the server-side entrypoint used by the REST page
+        // update endpoint and by the MCP/AI agent. Raw `htmlEmbed` nodes execute
+        // arbitrary JS in every reader's browser, so a NON-admin caller must not
+        // be able to persist them here. If the editing user is not a workspace
+        // admin/owner, strip every htmlEmbed node before it reaches the ydoc.
+        if (!canAuthorHtmlEmbed(user?.role)) {
+          if (hasHtmlEmbedNode(prosemirrorJson)) {
+            this.logger.warn(
+              `Stripping htmlEmbed node(s) from non-admin update by user ${user?.id} on ${documentName}`,
+            );
+            prosemirrorJson = stripHtmlEmbedNodes(prosemirrorJson);
+          }
+        }
+
        await this.withYdocConnection(
          hocuspocus,
          documentName,