fix(html-embed): address code-review findings on the sandbox commit

Follow-up fixes to the htmlEmbed-sandbox / trackerHead change: - share-seo: inject trackerHead via a function replacer so `$`-sequences ($&, $', $`, $$) in the admin snippet are inserted literally instead of being treated as String.replace substitution patterns; warn when the </head> marker is absent instead of silently skipping injection. - mcp: register a passthrough `htmlEmbed` node in the schema mirror so an AI/MCP edit of a page containing an embed no longer throws "Unknown node type: htmlEmbed" in TiptapTransformer.toYdoc. - editor-ext + client: treat a non-finite `data-height` as auto (null) so a crafted/corrupted height cannot disable auto-resize or yield a NaN iframe height; extract a shared clampHeight helper. - client: rename render-raw-html.{ts,test.ts} -> html-embed-sandbox.{...} and shouldExecute -> shouldRender so the seam name matches the sandbox model. - client: i18n the iframe title; surface the real error reason in tracker-settings (console.error + err.response.data.message). - docs: note hasHtmlEmbedNode is now a test-only helper; add an Unreleased CHANGELOG entry; drop the dangling "arbitrary HTML embed" planning-doc ref. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 03:22:37 +03:00
parent 20b9f61c3e
commit e9ceb0f899
11 changed files with 333 additions and 33 deletions
--- a/apps/server/src/common/helpers/prosemirror/html-embed.util.ts
+++ b/apps/server/src/common/helpers/prosemirror/html-embed.util.ts
@@ -42,7 +42,9 @@ export function stripHtmlEmbedNodes<T = JSONContent>(pmJson: T): T {
 /**
 * Returns true if the document contains at least one `htmlEmbed` node anywhere
 * in its tree. Useful to decide whether a strip pass on the share read path
- * actually changed anything.
+ * actually changed anything. After the write-path role gate removal this is no
+ * longer called by production code; it is retained as a test-only assertion
+ * helper (and a detection primitive should a future read path need it).
 */
 export function hasHtmlEmbedNode(pmJson: unknown): boolean {
  if (!pmJson || typeof pmJson !== 'object') {
--- a/apps/server/src/core/share/share-seo.controller.ts
+++ b/apps/server/src/core/share/share-seo.controller.ts
@@ -1,4 +1,4 @@
-import { Controller, Get, Param, Req, Res } from '@nestjs/common';
+import { Controller, Get, Logger, Param, Req, Res } from '@nestjs/common';
 import { ShareService } from './share.service';
 import { FastifyReply, FastifyRequest } from 'fastify';
 import { join } from 'path';
@@ -11,6 +11,8 @@ import { htmlEscape } from '../../common/helpers/html-escaper';

@Controller('share')
 export class ShareSeoController {
+  private readonly logger = new Logger(ShareSeoController.name);
+
  constructor(
    private readonly shareService: ShareService,
    private workspaceRepo: WorkspaceRepo,
@@ -96,10 +98,20 @@ export class ShareSeoController {
      // block itself is sandboxed and is the safe surface for everyone else.
      const trackerHead = (workspace?.settings as any)?.trackerHead;
      if (typeof trackerHead === 'string' && trackerHead.trim().length > 0) {
-        transformedHtml = transformedHtml.replace(
-          '</head>',
-          `${trackerHead}\n</head>`,
-        );
+        if (transformedHtml.includes('</head>')) {
+          // Function replacer: the snippet is admin-authored trusted content and
+          // must be injected verbatim. A string replacement would interpret `$&`,
+          // `$'`, `` $` `` and `$$` inside it as substitution patterns and mangle
+          // the tracker; a function return value is inserted literally.
+          transformedHtml = transformedHtml.replace(
+            '</head>',
+            () => `${trackerHead}\n</head>`,
+          );
+        } else {
+          this.logger.warn(
+            'trackerHead is configured but no </head> marker was found in the share index HTML; tracker snippet was not injected.',
+          );
+        }
      }

      res.type('text/html').send(transformedHtml);