fix: Database isn't escaped when dumped in the published HTML file

Related to #1100

src/main/frontend/components/header.cljs

@@ -178,7 +178,8 @@
        [:div.repos.hidden.md:block
         (repo/repos-dropdown true nil)]
 
-       (when (and (nfs/supported?) (empty? repos))
+       (when (and (nfs/supported?) (empty? repos)
+                  (not config/publishing?))
          [:a.text-sm.font-medium.opacity-70.hover:opacity-100.ml-3.block
           {:on-click (fn []
                        (nfs/ls-dir-files))}

src/main/frontend/publishing.cljs

@@ -6,6 +6,7 @@
             [rum.core :as rum]
             [frontend.handler.route :as route]
             [frontend.page :as page]
+            [frontend.util :as util]
             [frontend.routes :as routes]
             [reitit.frontend :as rf]
             [reitit.frontend.easy :as rfe]
@@ -30,7 +31,7 @@
   []
   (state/set-current-repo! "local")
   (when-let [data js/window.logseq_db]
-    (let [data (js/JSON.stringify data)
+    (let [data (util/unescape-html data)
           db-conn (d/create-conn db-schema/schema)
           _ (swap! db/conns assoc "logseq-db/local" db-conn)
           db (db/string->db data)]

src/main/frontend/publishing/html.cljs

@@ -1,6 +1,7 @@
 (ns frontend.publishing.html
   (:require-macros [hiccups.core])
   (:require [frontend.state :as state]
+            [frontend.util :as util]
             [hiccups.runtime]))
 
 (defn publishing-html
@@ -50,7 +51,7 @@
             {:description description}]]
           [:body
            [:div#root]
-           [:script (str "window.logseq_db=" transit-db)]
+           [:script (util/format "window.logseq_db=%s" (js/JSON.stringify (util/escape-html transit-db)))]
            [:script (str "window.logseq_state=" (js/JSON.stringify app-state))]
            [:script {:type "text/javascript"}
             "// Single Page Apps for GitHub Pages

src/main/frontend/security.cljs

@@ -30,15 +30,3 @@
 
 ;; Example 2:
 ;; <div style="padding: 20px; opacity: 0;height: 20px;" onmouseout="alert('Gotcha!')"></div>
-
-;; Copy from hiccup
-;; (defn escape-html
-;;   "Change special characters into HTML character entities."
-;;   [text]
-;;   (-> text
-;;       (string/replace "&"  "&amp;")
-;;       (string/replace "<"  "&lt;")
-;;       (string/replace ">"  "&gt;")
-;;       (string/replace "\"" "&quot;")
-;;       (string/replace "'" "&apos;")
-;;       (string/replace #"(?i)javascript:" "")))

src/main/frontend/util.cljs

@@ -17,7 +17,8 @@
             [cljs-time.format :as format]
             [frontend.regex :as regex]
             [clojure.pprint :refer [pprint]]
-            [goog.userAgent]))
+            [goog.userAgent]
+            [goog.string :as gstring]))
 
 (goog-define NODETEST false)
 (defonce node-test? NODETEST)
@@ -786,12 +787,12 @@
   [block-element]
   (when block-element
     (when-let [section (some-> (rec-get-blocks-content-section block-element)
-                          (d/parent))]
+                               (d/parent))]
       (let [blocks (d/by-class section "ls-block")
             idx (when (seq blocks) (.indexOf (array-seq blocks) block-element))]
         (when (and idx section)
-         {:idx idx
-          :container (gdom/getElement section "id")})))))
+          {:idx idx
+           :container (gdom/getElement section "id")})))))
 
 (defn nth-safe [c i]
   (if (or (< i 0) (>= i (count c)))
@@ -991,6 +992,26 @@
           [another-file-name])
          (string/join "/"))))
 
+;; Copy from hiccup
+(defn escape-html
+  "Change special characters into HTML character entities."
+  [text]
+  (-> text
+      (string/replace "&"  "&amp;")
+      (string/replace "<"  "&lt;")
+      (string/replace ">"  "&gt;")
+      (string/replace "\"" "&quot;")
+      (string/replace "'" "&apos;")))
+
+(defn unescape-html
+  [text]
+  (-> text
+      (string/replace "&amp;" "&")
+      (string/replace "&lt;" "<")
+      (string/replace "&gt;" ">")
+      (string/replace "&quot;" "\"")
+      (string/replace "&apos;" "'")))
+
 (comment
   (= (get-relative-path "journals/2020_11_18.org" "pages/grant_ideas.org")
      "../pages/grant_ideas.org")