Desktop: Rich Text Editor: Disallow inline event handlers (#12106)

2025-11-26 22:41:17 +02:00 · 2025-04-17 05:02:35 -07:00
parent 3ffcf065fc
commit 56e2d3da89
13 changed files with 123 additions and 89 deletions
--- a/packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/utils/useWebViewApi.ts
+++ b/packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/utils/useWebViewApi.ts
@@ -2,72 +2,37 @@ import PluginService from '@joplin/lib/services/plugins/PluginService';
 import { useEffect } from 'react';
 import { Editor } from 'tinymce';

-const useWebViewApi = (editor: Editor, window: Window) => {
+interface WebViewApi {
+	postMessage: (contentScriptId: string, message: unknown)=> Promise<unknown>;
+}
+
+interface ExtendedWindow extends Window {
+	webviewApi: WebViewApi;
+}
+
+const useWebViewApi = (editor: Editor, containerWindow: Window) => {
 	useEffect(() => {
 		if (!editor) return ()=>{};
-		if (!window) return ()=>{};
+		if (!containerWindow) return ()=>{};

-		const scriptElement = window.document.createElement('script');
-		const channelId = `plugin-post-message-${Math.random()}`;
-		scriptElement.appendChild(window.document.createTextNode(`
-			window.webviewApi = {
-				postMessage: (contentScriptId, message) => {
-					const channelId = ${JSON.stringify(channelId)};
-					const messageId = Math.random();
-					window.parent.postMessage({
-						channelId,
-						messageId,
-						contentScriptId,
-						message,
-					}, '*');
-
-					const waitForResponse = async () => {
-						while (true) {
-							const messageEvent = await new Promise(resolve => {
-								window.addEventListener('message', event => {
-									resolve(event);
-								}, {once: true});
-							});
-	
-							if (messageEvent.source !== window.parent || messageEvent.data.messageId !== messageId) {
-								continue;
-							}
-	
-							const data = messageEvent.data;
-							return data.response;
-						}
-					};
-
-					return waitForResponse();
-				},
-			};
-		`));
-		const editorWindow = editor.getWin();
-		editorWindow.document.head.appendChild(scriptElement);
-
-		const onMessageHandler = async (event: MessageEvent) => {
-			if (event.source !== editorWindow || event.data.channelId !== channelId) {
-				return;
-			}
-
-			const contentScriptId = event.data.contentScriptId;
-			const pluginService = PluginService.instance();
-			const plugin = pluginService.pluginById(
-				pluginService.pluginIdByContentScriptId(contentScriptId),
-			);
-			const result = await plugin.emitContentScriptMessage(contentScriptId, event.data.message);
-			editorWindow.postMessage({
-				messageId: event.data.messageId,
-				response: result,
-			}, '*');
+		const editorWindow = editor.getWin() as ExtendedWindow;
+		const webviewApi: WebViewApi = {
+			postMessage: async (contentScriptId: string, message: unknown) => {
+				const pluginService = PluginService.instance();
+				const plugin = pluginService.pluginById(
+					pluginService.pluginIdByContentScriptId(contentScriptId),
+				);
+				return await plugin.emitContentScriptMessage(contentScriptId, message);
+			},
 		};
-		window.addEventListener('message', onMessageHandler);
+		editorWindow.webviewApi = webviewApi;

 		return () => {
-			window.removeEventListener('message', onMessageHandler);
-			scriptElement.remove();
+			if (editorWindow.webviewApi === webviewApi) {
+				editorWindow.webviewApi = undefined;
+			}
 		};
-	}, [editor, window]);
+	}, [editor, containerWindow]);
 };

 export default useWebViewApi;