25.02.1 release candidate

Hi all,

I’d appreciate it if you could give this security fix a quick test. If it doesn’t introduce significant regressions, I hope to release it tomorrow.

10 Likes

FYI:
@llama found something and opened a PR:

2 Likes

I’ve uploaded a new build to the same location that includes the fix above, and marked it as stable.

2 Likes

After updating to 25.02.1, any <a onclick="…"> inside the static card‑template HTML no longer fires, even though the release notes only mention stripping onclick from field content.

Is this an intentional security change or a regression? If intentional, what’s the supported way to attach click handlers from the template—addEventListener in a <script> after render, or something else?

<a onclick='alert(1)'> works for me inside a card template. The change in 25.02.1 should only affects JS references inside individual fields in the editor. Please break the problem you’re having into a minimum reproducible example, and I’ll look into it.

Hi Dae,

Figured it out—onclick itself was never the problem.

The click was being swallowed because the link had target=“_blank”.

In 25.02.1 the set_open_links_externally(true) code now intercepts every _blank click in the capture phase and calls preventDefault()/stopPropagation(), so my inline onclick never had a chance to run.

Removing _blank (or opening the window manually inside the handler), or moving the handler to addEventListener(‘click’, …, true) fixes it. So no regression on your side—just my template colliding with the new security hook.

Thanks for the quick help.

1 Like

I am getting this message now :slightly_frowning_face: What has happened :red_question_mark: My collection is already huge and will continue to get bigger. I cannot split it up because I have to review all of my cards. How do I reverse this :red_question_mark: Now I cannot sync anymore and this has stopped my workflow…

Are there limits on file sizes on AnkiWeb?

Damn. I have exported a large deck of mine which I do not use at all. It has freed up space, but eventually I will be having this problem again in the future, as I am reviewing all of my collection as a whole.

I take it, I can still use my collection but without syncing it would be in danger of data loss :red_question_mark:

What if I would want to use Anki where I left off on a new device. :red_question_mark:Or if I wanted to backup my Anki :red_question_mark:

Is there something I could tweak here :red_question_mark:

Now every time I try to sync, it shows me this message

I press upload to Ankiweb, it syncs. The next time I close Anki, it shows me this message again.

There is the option of deleting revlogs of cards that Anki stores or deleting whole cards. Nothing you can do with the setting.

If you’re comfortable with a custom sync server, maybe it’s worth checking that out too. (I suggest we continue this in a different thread if you want to).

2 Likes

Note Size addon can help you to identify huge notes and reduce collection size

I have moved this discussion over to this topic now

2 Likes

It would be nice if instead of simply stripping unsafe attributes from html tags the update would transfer their values to something innocuous, for example:
onclick="somefunction()"data-onclick="somefunction()"
part="..."data-part="..."
Especially since the sanitization happens silently, with no immediate indication. The suggested modification will still prevent things relying on the old attributes from working (as expected from a security update) but at least all information will be preserved and potentially salvageable.

As an example use case, I relied on this addon to make cross-references between cards:
https://github.com/Arthur-Milchior/anki-link-to-open-browser
What’s important is that it stores nid of a card being referenced as a function argument inside onclick. Were I not to notice the change in time and revert to the previous Anki version, this update would wipe the key information about almost 100k links, that were manually created one by one over the years, without any warning and with no easy way of restoring it.

5 Likes

It looks like the new field sanitizer is stripping links that don’t start with http:// or https:// ? This breaks custom protocol links used to open local files in other software.

For example:


<a href="zotero://select/library/items/RGIKTJSR">Open Zotero</a>

is automatically converted to:


<a>Open Zotero</a>

4 Likes