yoinkkk/ExcaliDash
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix: Save complete app state (#40)

Browse Source 
* pass rest of appState in put request

* fix: support both legacy and current currentItemRoundness formats

Add union type to accept both the old object format {type, value} and
the new enum format for backwards compatibility with existing drawings.

---------

Co-authored-by: Zimeng Xiong <zxzimeng@gmail.com>
This commit is contained in:
Sushil Kumar
2026-01-20 23:32:03 +05:30
committed by Zimeng Xiong
parent 08d1479a01
commit 77c22916a8
2 changed files with 27 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/src/security.ts
+23 -9
View File
@@ -30,7 +30,9 @@ let activeConfig: SecurityConfig = { ...defaultConfig };
* Configure security settings * Configure security settings
* @param config Partial configuration to merge with defaults * @param config Partial configuration to merge with defaults
*/ */
export const configureSecuritySettings = (config: Partial<SecurityConfig>): void => { export const configureSecuritySettings = (
config: Partial<SecurityConfig>
): void => {
activeConfig = { ...activeConfig, ...config }; activeConfig = { ...activeConfig, ...config };
}; };
@@ -318,10 +320,13 @@ export const appStateSchema = z
.optional() .optional()
.nullable(), .nullable(),
currentItemRoundness: z currentItemRoundness: z
.object({ .union([
z.enum(["sharp", "round"]),
z.object({
type: z.enum(["round", "sharp"]), type: z.enum(["round", "sharp"]),
value: z.number().finite().min(0).max(1), value: z.number().finite().min(0).max(1),
}) }),
])
.optional() .optional()
.nullable(), .nullable(),
currentItemFontSize: z currentItemFontSize: z
@@ -427,10 +432,19 @@ export const sanitizeDrawingData = (data: {
]; ];
// Dangerous URL protocols to block entirely // Dangerous URL protocols to block entirely
const dangerousProtocols = [/^javascript:/i, /^vbscript:/i, /^data:text\/html/i]; const dangerousProtocols = [
/^javascript:/i,
/^vbscript:/i,
/^data:text\/html/i,
];
// Suspicious patterns for security validation within data URLs // Suspicious patterns for security validation within data URLs
const suspiciousPatterns = [/<script/i, /javascript:/i, /on\w+\s*=/i, /<iframe/i]; const suspiciousPatterns = [
/<script/i,
/javascript:/i,
/on\w+\s*=/i,
/<iframe/i,
];
// Maximum size for dataURL (configurable, default 10MB to prevent DoS) // Maximum size for dataURL (configurable, default 10MB to prevent DoS)
const MAX_DATAURL_SIZE = activeConfig.maxDataUrlSize; const MAX_DATAURL_SIZE = activeConfig.maxDataUrlSize;
@@ -448,8 +462,8 @@ export const sanitizeDrawingData = (data: {
const normalizedValue = value.toLowerCase(); const normalizedValue = value.toLowerCase();
// First, check for dangerous protocols - block these entirely // First, check for dangerous protocols - block these entirely
const hasDangerousProtocol = dangerousProtocols.some((pattern) => const hasDangerousProtocol = dangerousProtocols.some(
pattern.test(value) (pattern) => pattern.test(value)
); );
if (hasDangerousProtocol) { if (hasDangerousProtocol) {
@@ -465,8 +479,8 @@ export const sanitizeDrawingData = (data: {
if (isSafeImageType) { if (isSafeImageType) {
// Check for suspicious content and size limits // Check for suspicious content and size limits
const hasSuspiciousContent = suspiciousPatterns.some((pattern) => const hasSuspiciousContent = suspiciousPatterns.some(
pattern.test(value) (pattern) => pattern.test(value)
); );
const isTooLarge = value.length > MAX_DATAURL_SIZE; const isTooLarge = value.length > MAX_DATAURL_SIZE;
frontend/src/pages/Editor.tsx
+1
View File
@@ -301,6 +301,7 @@ export const Editor: React.FC = () => {
try { try {
const persistableAppState = { const persistableAppState = {
...appState,
viewBackgroundColor: appState?.viewBackgroundColor || '#ffffff', viewBackgroundColor: appState?.viewBackgroundColor || '#ffffff',
gridSize: appState?.gridSize || null, gridSize: appState?.gridSize || null,
}; };