From 972e5aed8a840dcf6c9e011db10fa0b41fdf11e9 Mon Sep 17 00:00:00 2001
From: Laurent Cozic <laurent@cozic.net>
Date: Fri, 6 Mar 2020 18:22:40 +0000
Subject: [PATCH] All: Regression: Fixed issue with style embeded in notes

---
 CliClient/tests/md_to_html/sanitize_10.html        | 6 ++++++
 CliClient/tests/md_to_html/sanitize_10.md          | 6 ++++++
 README.md                                          | 4 +++-
 ReactNativeClient/lib/joplin-renderer/htmlUtils.js | 9 ++++++++-
 ReactNativeClient/lib/models/Setting.js            | 3 +++
 5 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 CliClient/tests/md_to_html/sanitize_10.html
 create mode 100644 CliClient/tests/md_to_html/sanitize_10.md

diff --git a/CliClient/tests/md_to_html/sanitize_10.html b/CliClient/tests/md_to_html/sanitize_10.html
new file mode 100644
index 0000000000..d75c322f25
--- /dev/null
+++ b/CliClient/tests/md_to_html/sanitize_10.html
@@ -0,0 +1,6 @@
+<style>
+.md-checkbox input[type="checkbox"]:not(:checked),
+.md-checkbox input[type="checkbox"]:not(:checked)+label {
+    display:none;
+}
+</style>
\ No newline at end of file
diff --git a/CliClient/tests/md_to_html/sanitize_10.md b/CliClient/tests/md_to_html/sanitize_10.md
new file mode 100644
index 0000000000..d75c322f25
--- /dev/null
+++ b/CliClient/tests/md_to_html/sanitize_10.md
@@ -0,0 +1,6 @@
+<style>
+.md-checkbox input[type="checkbox"]:not(:checked),
+.md-checkbox input[type="checkbox"]:not(:checked)+label {
+    display:none;
+}
+</style>
\ No newline at end of file
diff --git a/README.md b/README.md
index d5d83dd179..223496648e 100644
--- a/README.md
+++ b/README.md
@@ -260,7 +260,9 @@ Joplin uses and renders a Github-flavoured Markdown with a few variations and ad
 
 Rendered markdown can be customized by placing a userstyle file in the profile directory `~/.config/joplin-desktop/userstyle.css` (This path might be different on your device - check at the top of the Config screen for the exact path). This file supports standard CSS syntax. Joplin ***must*** be restarted for the new css to be applied, please ensure that Joplin is not closing to the tray, but is actually exiting. Note that this file is used for both displaying the notes and printing the notes. Be aware how the CSS may look printed (for example, printing white text over a black background is usually not wanted).
 
-Editor styles can be customized by placing a custom editor style file in the profile directory `~/.config/joplin-desktop/userchrome.css`.
+The whole UI can be customized by placing a custom editor style file in the profile directory `~/.config/joplin-desktop/userchrome.css`.
+
+Important: userstyle.css and userchrome.css are provided for your convenience, but they are advanced settings, and styles you define may break from one version to the next. If you want to use them, please know that it might require regular development work from you to keep them working. The Joplin team cannot make a commitment to keep the application HTML structure stable.
 
 # Note templates
 
diff --git a/ReactNativeClient/lib/joplin-renderer/htmlUtils.js b/ReactNativeClient/lib/joplin-renderer/htmlUtils.js
index 338af5d21b..e4d446adec 100644
--- a/ReactNativeClient/lib/joplin-renderer/htmlUtils.js
+++ b/ReactNativeClient/lib/joplin-renderer/htmlUtils.js
@@ -104,7 +104,14 @@ class HtmlUtils {
 			ontext: (decodedText) => {
 				if (disallowedTags.includes(currentTag())) return;
 
-				output.push(htmlentities(decodedText));
+				if (currentTag() === 'style') {
+					// For CSS, we have to put the style as-is inside the tag because if we html-entities encode
+					// it, it's not going to work. But it's ok because JavaScript won't run within the style tag.
+					// Ideally CSS should be loaded from an external file.
+					output.push(decodedText);
+				} else {
+					output.push(htmlentities(decodedText));
+				}
 			},
 
 			onclosetag: (name) => {
diff --git a/ReactNativeClient/lib/models/Setting.js b/ReactNativeClient/lib/models/Setting.js
index 9b1f75195d..b4deed9193 100644
--- a/ReactNativeClient/lib/models/Setting.js
+++ b/ReactNativeClient/lib/models/Setting.js
@@ -454,6 +454,7 @@ class Setting extends BaseModel {
 				appTypes: ['desktop'],
 				label: () => _('Custom stylesheet for rendered Markdown'),
 				section: 'appearance',
+				advanced: true,
 			},
 			'style.customCss.joplinApp': {
 				onClick: () => {
@@ -469,6 +470,8 @@ class Setting extends BaseModel {
 				appTypes: ['desktop'],
 				label: () => _('Custom stylesheet for Joplin-wide app styles'),
 				section: 'appearance',
+				advanced: true,
+				description: () => 'CSS file support is provided for your convenience, but they are advanced settings, and styles you define may break from one version to the next. If you want to use them, please know that it might require regular development work from you to keep them working. The Joplin team cannot make a commitment to keep the application HTML structure stable.',
 			},
 
 			autoUpdateEnabled: { value: true, type: Setting.TYPE_BOOL, section: 'application', public: true, appTypes: ['desktop'], label: () => _('Automatically update the application') },