Files

claude code agent 227 bd28dbfe2b feat(editor): admin-only raw HTML/CSS/JS embed node

Adds an htmlEmbed block node that renders and executes raw HTML/CSS/JS in the
wiki origin (e.g. an analytics tracker) — the owner-chosen variant C. Because
this is stored-XSS by design, only workspace admins/owners may get such a node
persisted; everyone executes it when reading.

- Node (editor-ext): htmlEmbed atom/isolating block; source stored base64 in
  data-source for lossless HTML<->JSON round-trip. renderHTML emits only the
  encoded marker (never inlines raw markup), so generateHTML/export/search are
  not themselves injection vectors. Registered in BOTH client extensions and
  server tiptapExtensions. Markdown round-trip via an <!--html-embed:b64-->
  comment (turndown) + a marked rule.
- Client NodeView: injects source and re-creates <script> elements so they
  actually run; edit modal; renders in read-only/share too. Slash item is
  admin-gated (adminOnly filtered by the user's workspace role).
- SERVER ENFORCEMENT (the real control — UI gating alone is insufficient):
  stripHtmlEmbedNodes() removes htmlEmbed from any document persisted by a
  non-admin, applied at every write path that introduces content from an
  untrusted author: collab onStoreDocument, REST/MCP/AI updatePageContent,
  single-file import, zip/multi-file import, page duplication, and transclusion
  unsync. Page restore introduces no new content. Public share/readonly viewers
  render fetched (already-stripped) content and do NOT open a collab socket, so
  the only residual is a transient broadcast window to concurrent authenticated
  editors (documented).

Implements docs/arbitrary-html-embed-plan.md (variant C).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-20 08:54:54 +03:00

public

feat(ai-chat): show current context size instead of total tokens spent

2026-06-18 19:54:34 +03:00

src

feat(editor): admin-only raw HTML/CSS/JS embed node

2026-06-20 08:54:54 +03:00

.dockerignore

fixes

2024-06-07 17:29:34 +01:00

.gitignore

switch to nx monorepo

2024-01-09 18:58:26 +01:00

eslint.config.mjs

chore: fix linting (#544 )

2024-12-09 14:51:31 +00:00

index.html

feat(brand): roll out Gitmost logo, favicon and app name

2026-06-18 00:12:26 +03:00

package.json

0.91.0

2026-06-18 18:07:54 +03:00

postcss.config.js

switch to nx monorepo

2024-01-09 18:58:26 +01:00

README.md

switch to nx monorepo

2024-01-09 18:58:26 +01:00

tsconfig.json

switch to nx monorepo

2024-01-09 18:58:26 +01:00

tsconfig.node.json

switch to nx monorepo

2024-01-09 18:58:26 +01:00

vite.config.ts

feat(client): show git-describe version next to the brand logo

2026-06-18 04:51:21 +03:00

vitest.config.ts

feat(tree): replace sidebar tree (react-aborist) with custom tree implementation (#2199 )

2026-05-13 23:01:04 +01:00

README.md

React + TypeScript + Vite

This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.

Currently, two official plugins are available:

@vitejs/plugin-react uses Babel for Fast Refresh
@vitejs/plugin-react-swc uses SWC for Fast Refresh

Expanding the ESLint configuration

If you are developing a production application, we recommend updating the configuration to enable type aware lint rules:

Configure the top-level parserOptions property like this:

   parserOptions: {
    ecmaVersion: 'latest',
    sourceType: 'module',
    project: ['./tsconfig.json', './tsconfig.node.json'],
    tsconfigRootDir: __dirname,
   },

Replace plugin:@typescript-eslint/recommended to plugin:@typescript-eslint/recommended-type-checked or plugin:@typescript-eslint/strict-type-checked
Optionally add plugin:@typescript-eslint/stylistic-type-checked
Install eslint-plugin-react and add plugin:react/recommended & plugin:react/jsx-runtime to the extends list