-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core) Fix HTML encoding in webview rendered via data url #8779
base: 1.x
Are you sure you want to change the base?
Changes from all commits
0f2018a
2f82563
047092d
b14ebac
f91ab78
bdfccc6
7cdf241
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3247,13 +3247,27 @@ fn create_webview<T: UserEvent>( | |
if window_builder.center { | ||
let _ = center_window(&window, window.inner_size()); | ||
} | ||
let mut webview_builder = WebViewBuilder::new(window) | ||
.map_err(|e| Error::CreateWebview(Box::new(e)))? | ||
|
||
let mut webview_builder = | ||
WebViewBuilder::new(window).map_err(|e| Error::CreateWebview(Box::new(e)))?; | ||
|
||
// use with_html method if html content can be extracted from url. | ||
// else defaults to with_url method | ||
webview_builder = if let Some(html_string) = tauri_utils::html::extract_html_content(&url) { | ||
webview_builder | ||
.with_html(html_string) | ||
.map_err(|e| Error::CreateWebview(Box::new(e)))? | ||
} else { | ||
webview_builder | ||
.with_url(&url) | ||
.map_err(|e| Error::CreateWebview(Box::new(e)))? | ||
}; | ||
Comment on lines
+3256
to
+3264
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
|
||
webview_builder = webview_builder | ||
.with_focused(focused) | ||
.with_url(&url) | ||
.unwrap() // safe to unwrap because we validate the URL beforehand | ||
.with_transparent(is_window_transparent) | ||
.with_accept_first_mouse(webview_attributes.accept_first_mouse); | ||
|
||
if webview_attributes.file_drop_handler_enabled { | ||
webview_builder = webview_builder | ||
.with_file_drop_handler(create_file_drop_handler(window_event_listeners.clone())); | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -50,3 +50,4 @@ system-tray = [ ] | |
macos-private-api = [ ] | ||
global-shortcut = [ ] | ||
clipboard = [ ] | ||
window-data-url = [ "tauri-utils/window-data-url" ] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. and revert this as well |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -38,6 +38,7 @@ semver = "1" | |
infer = "0.13" | ||
dunce = "1" | ||
log = "0.4.20" | ||
data-url = { version = "0.3.1", optional = true } | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ditto |
||
|
||
[target."cfg(target_os = \"linux\")".dependencies] | ||
heck = "0.4" | ||
|
@@ -54,3 +55,4 @@ process-relaunch-dangerous-allow-symlink-macos = [ ] | |
config-json5 = [ "json5" ] | ||
config-toml = [ "toml" ] | ||
resources = [ "glob", "walkdir" ] | ||
window-data-url = [ "data-url" ] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ditto |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -286,6 +286,20 @@ pub fn inline_isolation(document: &mut NodeRef, dir: &Path) { | |
} | ||
} | ||
|
||
/// Temporary naive method to check if a string is a html | ||
pub fn is_html(data_string: &str) -> bool { | ||
data_string.contains('<') && data_string.contains('>') | ||
} | ||
|
||
/// Temporary naive method to extract data from html data string | ||
pub fn extract_html_content(input: &str) -> Option<&str> { | ||
if input.starts_with("data:text/html,") { | ||
Some(&input[15..]) | ||
} else { | ||
None | ||
} | ||
} | ||
Comment on lines
+289
to
+301
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. let's move these back to |
||
|
||
#[cfg(test)] | ||
mod tests { | ||
use kuchiki::traits::*; | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -995,6 +995,8 @@ impl<R: Runtime> WindowManager<R> { | |
} | ||
} | ||
WindowUrl::External(url) => url.clone(), | ||
#[cfg(feature = "window-data-url")] | ||
WindowUrl::DataUrl(url) => url.clone(), | ||
_ => unimplemented!(), | ||
}; | ||
|
||
|
@@ -1005,23 +1007,46 @@ impl<R: Runtime> WindowManager<R> { | |
)); | ||
} | ||
|
||
#[cfg(feature = "window-data-url")] | ||
if let Some(csp) = self.csp() { | ||
if url.scheme() == "data" { | ||
if let Ok(data_url) = data_url::DataUrl::process(url.as_str()) { | ||
let (body, _) = data_url.decode_to_vec().unwrap(); | ||
let html = String::from_utf8_lossy(&body).into_owned(); | ||
// naive way to check if it's an html | ||
if html.contains('<') && html.contains('>') { | ||
match ( | ||
url.scheme(), | ||
tauri_utils::html::extract_html_content(url.as_str()), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. we shouldn't call #[cfg(feature = "window-data-url")]
if ur.scheme() == "data" {
let html = extract_html_content();
// ...
} |
||
) { | ||
#[cfg(feature = "window-data-url")] | ||
("data", Some(html_string)) => { | ||
// There is an issue with the external DataUrl where HTML containing special characters | ||
// are not correctly processed. A workaround is to first percent encode the html string, | ||
// before it processed by DataUrl. | ||
let encoded_string = percent_encoding::utf8_percent_encode(html_string, percent_encoding::NON_ALPHANUMERIC).to_string(); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. we shouldn't encode the URL, we should expect the user has already encoded it as per https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URLs There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I found that data URLs are not encoded by default on Linux, but they are encoded by default on macOS. I haven't tried on Windows yet. I expect consistency across platforms, with no encoding. The following content will be encoded on macOS, which is not what I expected. const webview = new WebviewWindow('print', {
url: `data:text/html,<html><body>你好,世界</body></html>`,
center: true,
visible: true,
width: 300,
height: 300,
}); |
||
let url = data_url::DataUrl::process(&format!("data:text/html,{}", encoded_string)) | ||
.map_err(|_| crate::Error::InvalidWindowUrl("Failed to process data url")) | ||
.and_then(|data_url| { | ||
data_url | ||
.decode_to_vec() | ||
.map_err(|_| crate::Error::InvalidWindowUrl("Failed to decode processed data url")) | ||
}) | ||
.and_then(|(body, _)| { | ||
let html = String::from_utf8_lossy(&body).into_owned(); | ||
let mut document = tauri_utils::html::parse(html); | ||
tauri_utils::html::inject_csp(&mut document, &csp.to_string()); | ||
url.set_path(&format!("text/html,{}", document.to_string())); | ||
} | ||
} | ||
if let Some(csp) = self.csp() { | ||
tauri_utils::html::inject_csp(&mut document, &csp.to_string()); | ||
} | ||
// decode back to raw html, as the content should be fully decoded | ||
// when passing to wry / tauri-runtime-wry, which will be responsible | ||
// for handling the encoding based on the OS. | ||
let encoded_html = document.to_string(); | ||
Ok( | ||
percent_encoding::percent_decode_str(encoded_html.as_str()) | ||
.decode_utf8_lossy() | ||
.to_string(), | ||
) | ||
}) | ||
.unwrap_or(html_string.to_string()); | ||
pending.url = format!("data:text/html,{}", url); | ||
} | ||
} | ||
|
||
pending.url = url.to_string(); | ||
_ => { | ||
pending.url = url.to_string(); | ||
} | ||
}; | ||
|
||
if !pending.window_builder.has_icon() { | ||
if let Some(default_window_icon) = self.inner.default_window_icon.clone() { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is only needed on Linux, let's revert this back