make html support html

Author: lei9444

src/common/FilePreviewCommon/MarkdownHelper.cs

@@ -39,7 +39,7 @@ public static string MarkdownHtml(string fileContent, string theme, string fileP
             var softlineBreak = new Markdig.Extensions.Hardlines.SoftlineBreakAsHardlineExtension();
 
             MarkdownPipelineBuilder pipelineBuilder;
-            pipelineBuilder = new MarkdownPipelineBuilder().UseAdvancedExtensions().UseEmojiAndSmiley().UseYamlFrontMatter().UseMathematics().DisableHtml();
+            pipelineBuilder = new MarkdownPipelineBuilder().UseAdvancedExtensions().UseEmojiAndSmiley().UseYamlFrontMatter().UseMathematics();
             pipelineBuilder.Extensions.Add(extension);
             pipelineBuilder.Extensions.Add(softlineBreak);
 

src/modules/peek/Peek.FilePreviewer/Controls/BrowserControl.xaml.cs

@@ -34,6 +34,11 @@ public sealed partial class BrowserControl : Microsoft.UI.Xaml.Controls.UserCont
 
         private Color? _originalBackgroundColor;
 
+        /// <summary>
+        /// URI of the current source being previewed (for resource filtering)
+        /// </summary>
+        private Uri? _currentSourceUri;
+
         public delegate void NavigationCompletedHandler(WebView2? sender, CoreWebView2NavigationCompletedEventArgs? args);
 
         public delegate void DOMContentLoadedHandler(CoreWebView2? sender, CoreWebView2DOMContentLoadedEventArgs? args);
@@ -97,6 +102,7 @@ public BrowserControl()
         {
             this.InitializeComponent();
             Environment.SetEnvironmentVariable("WEBVIEW2_USER_DATA_FOLDER", TempFolderPath.Path, EnvironmentVariableTarget.Process);
+            Environment.SetEnvironmentVariable("WEBVIEW2_ADDITIONAL_BROWSER_ARGUMENTS", "--block-new-web-contents", EnvironmentVariableTarget.Process);
         }
 
         public void Dispose()
@@ -105,6 +111,7 @@ public void Dispose()
             {
                 PreviewBrowser.CoreWebView2.DOMContentLoaded -= CoreWebView2_DOMContentLoaded;
                 PreviewBrowser.CoreWebView2.ContextMenuRequested -= CoreWebView2_ContextMenuRequested;
+                RemoveResourceFilter();
             }
         }
 
@@ -123,6 +130,14 @@ public void Navigate()
             {
                 /* CoreWebView2.Navigate() will always trigger a navigation even if the content/URI is the same.
                  * Use WebView2.Source to avoid re-navigating to the same content. */
+                _currentSourceUri = Source;
+
+                // Only apply resource filter for non-dev files
+                if (!IsDevFilePreview)
+                {
+                    ApplyResourceFilter();
+                }
+
                 PreviewBrowser.CoreWebView2.Navigate(Source.ToString());
             }
         }
@@ -146,10 +161,14 @@ private void OnIsDevFilePreviewChanged()
                 if (IsDevFilePreview)
                 {
                     PreviewBrowser.CoreWebView2.SetVirtualHostNameToFolderMapping(Microsoft.PowerToys.FilePreviewCommon.MonacoHelper.VirtualHostName, Microsoft.PowerToys.FilePreviewCommon.MonacoHelper.MonacoDirectory, CoreWebView2HostResourceAccessKind.Allow);
+
+                    // Remove resource filter for dev files (Monaco needs to load resources)
+                    RemoveResourceFilter();
                 }
                 else
                 {
                     PreviewBrowser.CoreWebView2.ClearVirtualHostNameToFolderMapping(Microsoft.PowerToys.FilePreviewCommon.MonacoHelper.VirtualHostName);
+                    ApplyResourceFilter();
                 }
             }
         }
@@ -283,6 +302,34 @@ private void CoreWebView2_ContextMenuRequested(CoreWebView2 sender, CoreWebView2
             }
         }
 
+        /// <summary>
+        /// Applies strict resource filtering for non-dev files to block external resources.
+        /// This prevents XSS attacks and unwanted external content loading.
+        /// </summary>
+        private void ApplyResourceFilter()
+        {
+            // Remove existing handler to prevent duplicate subscriptions
+            RemoveResourceFilter();
+
+            // Add filter and subscribe to resource requests
+            PreviewBrowser.CoreWebView2.AddWebResourceRequestedFilter("*", CoreWebView2WebResourceContext.All);
+            PreviewBrowser.CoreWebView2.WebResourceRequested += CoreWebView2_WebResourceRequested;
+        }
+
+        private void RemoveResourceFilter()
+        {
+            PreviewBrowser.CoreWebView2.WebResourceRequested -= CoreWebView2_WebResourceRequested;
+        }
+
+        private void CoreWebView2_WebResourceRequested(CoreWebView2 sender, CoreWebView2WebResourceRequestedEventArgs args)
+        {
+            // Only allow loading the specified source file. Block all other resources for security.
+            if (_currentSourceUri != null && new Uri(args.Request.Uri) != _currentSourceUri)
+            {
+                args.Response = PreviewBrowser.CoreWebView2.Environment.CreateWebResourceResponse(null, 403, "Forbidden", null);
+            }
+        }
+
         private void CoreWebView2_DOMContentLoaded(CoreWebView2 sender, CoreWebView2DOMContentLoadedEventArgs args)
         {
             // If the file being previewed is HTML or HTM, reset the background color to its original state.

src/modules/peek/Peek.FilePreviewer/Previewers/WebBrowserPreviewer/WebBrowserPreviewer.cs

@@ -113,38 +113,41 @@ public Task<bool> LoadDisplayInfoAsync(CancellationToken cancellationToken)
 
                 await Dispatcher.RunOnUiThread(async () =>
                 {
-                    bool isHtml = File.Extension == ".html" || File.Extension == ".htm";
-                    bool isMarkdown = File.Extension == ".md";
-                    bool isSvg = File.Extension == ".svg";
+                    string extension = File.Extension;
 
-                    bool supportedByMonaco = MonacoHelper.SupportedMonacoFileTypes.Contains(File.Extension);
-                    bool useMonaco = supportedByMonaco && !isHtml && !isMarkdown && !isSvg;
+                    // Default: non-dev file preview with standard context menu
+                    IsDevFilePreview = false;
+                    CustomContextMenu = false;
 
-                    IsDevFilePreview = supportedByMonaco;
-                    CustomContextMenu = useMonaco;
-
-                    if (useMonaco)
-                    {
-                        var raw = await ReadHelper.Read(File.Path.ToString());
-                        Preview = new Uri(MonacoHelper.PreviewTempFile(raw, File.Extension, TempFolderPath.Path, _previewSettings.SourceCodeTryFormat, _previewSettings.SourceCodeWrapText, _previewSettings.SourceCodeStickyScroll, _previewSettings.SourceCodeFontSize, _previewSettings.SourceCodeMinimap));
-                    }
-                    else if (isMarkdown)
+                    // Determine preview strategy based on file type priority
+                    if (extension == ".md")
                     {
-                        IsDevFilePreview = false;
+                        // Markdown files use custom renderer
                         var raw = await ReadHelper.Read(File.Path.ToString());
                         Preview = new Uri(MarkdownHelper.PreviewTempFile(raw, File.Path, TempFolderPath.Path));
                     }
-                    else if (isSvg)
+                    else if (extension == ".svg")
                     {
                         // SVG files are rendered directly by WebView2 for better compatibility
                         // with complex SVGs from Adobe Illustrator, Inkscape, etc.
-                        IsDevFilePreview = false;
                         Preview = new Uri(File.Path);
                     }
-                    else
+                    else if (extension == ".html" || extension == ".htm")
                     {
                         // Simple html file to preview. Shouldn't do things like enabling scripts or using a virtual mapped directory.
-                        IsDevFilePreview = false;
+                        Preview = new Uri(File.Path);
+                    }
+                    else if (MonacoHelper.SupportedMonacoFileTypes.Contains(extension))
+                    {
+                        // Source code files use Monaco editor
+                        IsDevFilePreview = true;
+                        CustomContextMenu = true;
+                        var raw = await ReadHelper.Read(File.Path.ToString());
+                        Preview = new Uri(MonacoHelper.PreviewTempFile(raw, extension, TempFolderPath.Path, _previewSettings.SourceCodeTryFormat, _previewSettings.SourceCodeWrapText, _previewSettings.SourceCodeStickyScroll, _previewSettings.SourceCodeFontSize, _previewSettings.SourceCodeMinimap));
+                    }
+                    else
+                    {
+                        // Fallback for other supported file types (e.g., PDF)
                         Preview = new Uri(File.Path);
                     }
                 });