fix: escape modes improve character removal logic #14

LonoxX · LonoxX · commit 3096c923a115 · 2025-09-19T17:20:23.000+02:00
diff --git a/src/settings-tab.ts b/src/settings-tab.ts
@@ -285,11 +285,11 @@ export class GitHubTrackerSettingTab extends PluginSettingTab {
 					)
 					.addOption(
 						"strict",
-						"Strict - Only alphanumeric characters and links will be allowed",
+						"Strict - Remove potentially dangerous characters",
 					)
 					.addOption(
 						"veryStrict",
-						"Very strict - Only alphanumeric characters, and punctuation",
+						"Very strict - Remove many special characters",
 					)
 					.setValue(this.plugin.settings.escapeMode)
 					.onChange(async (value) => {
diff --git a/src/util/escapeUtils.ts b/src/util/escapeUtils.ts
@@ -1,9 +1,15 @@
 /**
  * Utility function for escaping content in different modes
  * @param unsafe The string to escape
- * @param mode The escaping mode: "disabled", "normal", or "strict"
+ * @param mode The escaping mode: "disabled", "normal", "strict", or "veryStrict"
  * @returns The escaped string
  * @throws Error if input is null or undefined
+ *
+ * Modes:
+ * - disabled: No escaping applied
+ * - normal: Basic escaping for Templater and Dataview compatibility
+ * - strict: Remove potentially dangerous HTML/JS characters (preserves Unicode)
+ * - veryStrict: Remove more special characters (preserves Unicode but more restrictive)
  */
 export function escapeBody(
 	unsafe: string,
@@ -18,15 +24,19 @@ export function escapeBody(
 	}
 
 	if (mode === "strict") {
-		// Allow alphanumeric, whitespace, common punctuation, and URL/Markdown specific characters
+		// Allow Unicode characters, whitespace, common punctuation, and URL/Markdown specific characters
+		// Remove potentially dangerous characters while preserving Chinese and other Unicode characters
 		return unsafe
-			.replace(/[^a-zA-Z0-9\s.,()\[\]*+\-:"#!'?&|*>~^\/:?=&%#_]/g, "")
-			.replace(/---/g, "- - -");
+			.replace(/[<>{}$`\\]/g, "")  // Remove potentially dangerous HTML/JS/template characters
+			.replace(/---/g, "- - -");  // Escape YAML frontmatter separators
 	}
 
 	if (mode === "veryStrict") {
-		// Allow alphanumeric, whitespace, basic punctuation, and essential URL/Markdown image characters
-		return unsafe.replace(/[^a-zA-Z0-9\s.,?!\[\]():\/.\-]/g, "");
+		// Allow Unicode characters, whitespace, basic punctuation, and essential URL/Markdown characters
+		// More restrictive than strict mode but still preserves Chinese and other Unicode characters
+		return unsafe
+			.replace(/[<>{}$`\\"'|&*~^]/g, "")  // Remove more potentially dangerous characters
+			.replace(/---/g, "- - -");  // Escape YAML frontmatter separators
 	}
 
 	// normal mode

Original file line number	Diff line number	Diff line change
`@@ -285,11 +285,11 @@ export class GitHubTrackerSettingTab extends PluginSettingTab {`
`285`	`285`	`)`
`286`	`286`	`.addOption(`
`287`	`287`	`"strict",`
`288`		`- "Strict - Only alphanumeric characters and links will be allowed",`
	`288`	`+ "Strict - Remove potentially dangerous characters",`
`289`	`289`	`)`
`290`	`290`	`.addOption(`
`291`	`291`	`"veryStrict",`
`292`		`- "Very strict - Only alphanumeric characters, and punctuation",`
	`292`	`+ "Very strict - Remove many special characters",`
`293`	`293`	`)`
`294`	`294`	`.setValue(this.plugin.settings.escapeMode)`
`295`	`295`	`.onChange(async (value) => {`