Wissensdatenbank: Markdown, FTS5-Suche, Sanitizing, UX

- Markdown-Rendering fuer Notizen (fett, kursiv, Ueberschriften, Listen, Code, Links) - HTML-Sanitizing im Frontend und Backend (XSS-Schutz) - FTS5 Volltextindex fuer schnelle Suche mit Ranking - Kategorie-Loeschung zeigt Anzahl betroffener Eintraege Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 19:38:43 +01:00
Commit 48c917eb28
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,16 @@
 TASKMATE - CHANGELOG
 ====================

+================================================================================
+19.03.2026 - v392 - Wissensdatenbank: Markdown, Volltextsuche, Sanitizing
+
+WISSENSDATENBANK:
+- Markdown-Rendering fuer Notizen (fett, kursiv, Ueberschriften, Listen, Links, Code-Bloecke)
+- HTML-Sanitizing im Frontend und Backend (script/iframe/on*-Attribute entfernt)
+- FTS5 Volltextindex fuer schnellere Suche mit Fallback auf LIKE
+- Kategorie-Loeschung zeigt jetzt Eintragsanzahl im Bestaetigungsdialog
+- CSS-Styles fuer gerenderte Markdown-Elemente in Notizen
+
 ================================================================================
 19.03.2026 - v391 - Sicherheitshärtung und toter Code bereinigt

--- a/backend/database.js
+++ b/backend/database.js
@@ -552,6 +552,43 @@ function createTables() {
    )
  `);

+  // Wissensmanagement - FTS5 Volltextsuche
+  try {
+    db.exec(`
+      CREATE VIRTUAL TABLE IF NOT EXISTS knowledge_fts USING fts5(
+        title, notes, content=knowledge_entries, content_rowid=id
+      )
+    `);
+
+    // Trigger: INSERT synchronisieren
+    db.exec(`
+      CREATE TRIGGER IF NOT EXISTS knowledge_fts_insert AFTER INSERT ON knowledge_entries BEGIN
+        INSERT INTO knowledge_fts(rowid, title, notes) VALUES (NEW.id, NEW.title, NEW.notes);
+      END
+    `);
+
+    // Trigger: DELETE synchronisieren
+    db.exec(`
+      CREATE TRIGGER IF NOT EXISTS knowledge_fts_delete AFTER DELETE ON knowledge_entries BEGIN
+        INSERT INTO knowledge_fts(knowledge_fts, rowid, title, notes) VALUES('delete', OLD.id, OLD.title, OLD.notes);
+      END
+    `);
+
+    // Trigger: UPDATE synchronisieren
+    db.exec(`
+      CREATE TRIGGER IF NOT EXISTS knowledge_fts_update AFTER UPDATE ON knowledge_entries BEGIN
+        INSERT INTO knowledge_fts(knowledge_fts, rowid, title, notes) VALUES('delete', OLD.id, OLD.title, OLD.notes);
+        INSERT INTO knowledge_fts(rowid, title, notes) VALUES (NEW.id, NEW.title, NEW.notes);
+      END
+    `);
+
+    // Initiales Befuellen der FTS-Tabelle
+    db.exec(`INSERT INTO knowledge_fts(knowledge_fts) VALUES('rebuild')`);
+    logger.info('Knowledge FTS5 Volltextindex erstellt/aktualisiert');
+  } catch (ftsError) {
+    logger.warn('FTS5 konnte nicht erstellt werden (evtl. nicht unterstuetzt):', ftsError.message);
+  }
+
  // Wissensmanagement - Anhänge
  db.exec(`
    CREATE TABLE IF NOT EXISTS knowledge_attachments (
--- a/backend/routes/knowledge.js
+++ b/backend/routes/knowledge.js
@@ -14,6 +14,23 @@ const logger = require('../utils/logger');
 const { validators, stripHtml } = require('../middleware/validation');
 const notificationService = require('../services/notificationService');

+/**
+ * Sanitize Notes - entfernt gefaehrliche Tags/Attribute, laesst Markdown durch
+ */
+function sanitizeNotes(text) {
+  if (!text) return text;
+  // Entferne script, iframe, object, embed, form, style Tags inkl. Inhalt
+  let clean = text.replace(/<\s*(script|iframe|object|embed|form|style|link|meta|base)\b[^>]*>[\s\S]*?<\s*\/\s*\1\s*>/gi, '');
+  // Entferne selbstschliessende gefaehrliche Tags
+  clean = clean.replace(/<\s*(script|iframe|object|embed|form|style|link|meta|base)\b[^>]*\/?>/gi, '');
+  // Entferne on*-Event-Attribute
+  clean = clean.replace(/\s+on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+)/gi, '');
+  // Entferne javascript: URLs
+  clean = clean.replace(/href\s*=\s*(?:"javascript:[^"]*"|'javascript:[^']*')/gi, 'href="#"');
+  clean = clean.replace(/src\s*=\s*(?:"javascript:[^"]*"|'javascript:[^']*')/gi, 'src=""');
+  return clean;
+}
+
 // Upload-Konfiguration für Knowledge-Anhänge
 const UPLOAD_DIR = path.join(__dirname, '..', 'uploads', 'knowledge');

@@ -489,7 +506,7 @@ router.post('/entries', (req, res) => {
      categoryId,
      stripHtml(title),
      url || null,
-      notes || null,
+      notes ? sanitizeNotes(notes) : null,
      0, // Neue Einträge immer an Position 0 (oben)
      req.user.id
    );
@@ -614,7 +631,7 @@ router.put('/entries/:id', (req, res) => {
      categoryId || null,
      title ? stripHtml(title) : null,
      url !== undefined ? url : existing.url,
-      notes !== undefined ? notes : existing.notes,
+      notes !== undefined ? (notes ? sanitizeNotes(notes) : notes) : existing.notes,
      entryId
    );

@@ -936,7 +953,7 @@ router.get('/search', (req, res) => {
    const searchTerm = `%${q.toLowerCase()}%`;
    const db = getDb();

-    // Kategorien durchsuchen
+    // Kategorien durchsuchen (kein FTS noetig - wenige Datensaetze)
    const categories = db.prepare(`
      SELECT kc.*,
        (SELECT COUNT(*) FROM knowledge_entries WHERE category_id = kc.id) as entry_count
@@ -945,8 +962,27 @@ router.get('/search', (req, res) => {
      ORDER BY kc.position
    `).all(searchTerm, searchTerm);

-    // Einträge durchsuchen
-    const entries = db.prepare(`
+    // Eintraege durchsuchen - FTS5 mit Fallback auf LIKE
+    let entries;
+    try {
+      // FTS5 Suche: Sonderzeichen escapen und Prefix-Suche
+      const ftsQuery = q.trim().replace(/['"*()]/g, '').split(/\s+/).map(t => `"${t}"*`).join(' ');
+      entries = db.prepare(`
+        SELECT ke.*,
+          kc.name as category_name,
+          kc.color as category_color,
+          (SELECT COUNT(*) FROM knowledge_attachments WHERE entry_id = ke.id) as attachment_count
+        FROM knowledge_fts fts
+        JOIN knowledge_entries ke ON ke.id = fts.rowid
+        LEFT JOIN knowledge_categories kc ON ke.category_id = kc.id
+        WHERE knowledge_fts MATCH ?
+        ORDER BY rank
+        LIMIT 50
+      `).all(ftsQuery);
+    } catch (ftsError) {
+      // Fallback auf LIKE wenn FTS nicht verfuegbar
+      logger.warn('FTS5-Suche fehlgeschlagen, Fallback auf LIKE:', ftsError.message);
+      entries = db.prepare(`
        SELECT ke.*,
          kc.name as category_name,
          kc.color as category_color,
@@ -962,6 +998,7 @@ router.get('/search', (req, res) => {
          ke.created_at DESC
        LIMIT 50
      `).all(searchTerm, searchTerm, searchTerm, searchTerm);
+    }

    res.json({
      categories: categories.map(c => ({
--- a/frontend/css/knowledge.css
+++ b/frontend/css/knowledge.css
@@ -441,6 +441,84 @@
  white-space: pre-wrap;
 }

+/* Markdown Styles in Notizen */
+.knowledge-entry-notes h1 {
+  font-size: 1.2rem;
+  font-weight: 700;
+  color: var(--text-primary);
+  margin: 0.5rem 0 0.25rem 0;
+}
+
+.knowledge-entry-notes h2 {
+  font-size: 1.1rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin: 0.5rem 0 0.25rem 0;
+}
+
+.knowledge-entry-notes h3 {
+  font-size: 1rem;
+  font-weight: 600;
+  color: var(--text-primary);
+  margin: 0.4rem 0 0.2rem 0;
+}
+
+.knowledge-entry-notes code {
+  background: var(--bg-tertiary);
+  padding: 2px 6px;
+  border-radius: var(--radius-sm);
+  font-family: 'Courier New', monospace;
+  font-size: 0.85em;
+}
+
+.knowledge-entry-notes pre {
+  background: var(--bg-tertiary);
+  padding: var(--spacing-sm) var(--spacing-md);
+  border-radius: var(--radius-md);
+  overflow-x: auto;
+  margin: 0.5rem 0;
+}
+
+.knowledge-entry-notes pre code {
+  background: transparent;
+  padding: 0;
+  border-radius: 0;
+  font-size: 0.85rem;
+  line-height: 1.5;
+}
+
+.knowledge-entry-notes ul,
+.knowledge-entry-notes ol {
+  padding-left: 1.5rem;
+  margin: 0.25rem 0;
+}
+
+.knowledge-entry-notes li {
+  margin: 0.15rem 0;
+}
+
+.knowledge-entry-notes a {
+  color: var(--primary);
+  text-decoration: underline;
+}
+
+.knowledge-entry-notes a:hover {
+  opacity: 0.8;
+}
+
+.knowledge-entry-notes strong {
+  font-weight: 700;
+  color: var(--text-primary);
+}
+
+.knowledge-entry-notes em {
+  font-style: italic;
+}
+
+.knowledge-entry-notes p {
+  margin: 0.25rem 0;
+}
+
 .knowledge-entry-attachments-info {
  display: flex;
  align-items: center;
--- a/frontend/js/knowledge.js
+++ b/frontend/js/knowledge.js
@@ -348,7 +348,7 @@ class KnowledgeManager {
            </a>
          ` : ''}
          ${hasNotes ? `
-            <div class="knowledge-entry-notes">${this.escapeHtml(entry.notes)}</div>
+            <div class="knowledge-entry-notes">${this.renderMarkdown(this.sanitizeHtml(entry.notes))}</div>
          ` : ''}
          ${hasAttachments ? `
            <div class="knowledge-entry-attachments-info">
@@ -937,7 +937,11 @@ class KnowledgeManager {
    const category = this.categories.find(c => c.id === categoryId);
    if (!category) return;

-    const confirmDelete = confirm(`Kategorie "${category.name}" und alle Einträge wirklich löschen?`);
+    const count = category.entryCount || 0;
+    const msg = count > 0
+      ? `Kategorie "${category.name}" mit ${count} Einträgen löschen? Dies kann nicht rückgängig gemacht werden.`
+      : `Kategorie "${category.name}" löschen? Dies kann nicht rückgängig gemacht werden.`;
+    const confirmDelete = confirm(msg);
    if (!confirmDelete) return;

    try {
@@ -1239,6 +1243,94 @@ class KnowledgeManager {
    }
  }

+  // ==========================================
+  // MARKDOWN RENDERING
+  // ==========================================
+
+  /**
+   * Sanitize HTML - entfernt gefaehrliche Tags und Attribute
+   * Muss VOR renderMarkdown aufgerufen werden
+   */
+  sanitizeHtml(html) {
+    if (!html) return '';
+    // Entferne script, iframe, object, embed, form, style Tags
+    let clean = html.replace(/<\s*(script|iframe|object|embed|form|style|link|meta|base)\b[^>]*>[\s\S]*?<\s*\/\s*\1\s*>/gi, '');
+    // Entferne selbstschliessende gefaehrliche Tags
+    clean = clean.replace(/<\s*(script|iframe|object|embed|form|style|link|meta|base)\b[^>]*\/?>/gi, '');
+    // Entferne on*-Event-Attribute (onclick, onerror, onload etc.)
+    clean = clean.replace(/\s+on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+)/gi, '');
+    // Entferne javascript: URLs
+    clean = clean.replace(/href\s*=\s*(?:"javascript:[^"]*"|'javascript:[^']*')/gi, 'href="#"');
+    clean = clean.replace(/src\s*=\s*(?:"javascript:[^"]*"|'javascript:[^']*')/gi, 'src=""');
+    return clean;
+  }
+
+  /**
+   * Einfacher Markdown-Renderer
+   * Unterstuetzt: fett, kursiv, Ueberschriften, Listen, Links, Code, Zeilenumbrueche
+   */
+  renderMarkdown(text) {
+    if (!text) return '';
+
+    // Zuerst HTML-Entities escapen fuer Sicherheit
+    let html = text
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;');
+
+    // Code-Bloecke (dreifache Backticks) - vor anderen Regeln
+    html = html.replace(/```(\w*)\n?([\s\S]*?)```/g, (match, lang, code) => {
+      return `<pre><code>${code.trim()}</code></pre>`;
+    });
+
+    // Inline-Code (einfache Backticks)
+    html = html.replace(/`([^`\n]+)`/g, '<code>$1</code>');
+
+    // Ueberschriften (# bis ###)
+    html = html.replace(/^### (.+)$/gm, '<h3>$1</h3>');
+    html = html.replace(/^## (.+)$/gm, '<h2>$1</h2>');
+    html = html.replace(/^# (.+)$/gm, '<h1>$1</h1>');
+
+    // Fett (**text** oder __text__)
+    html = html.replace(/\*\*(.+?)\*\*/g, '<strong>$1</strong>');
+    html = html.replace(/__(.+?)__/g, '<strong>$1</strong>');
+
+    // Kursiv (*text* oder _text_)
+    html = html.replace(/(?<!\w)\*([^*\n]+)\*(?!\w)/g, '<em>$1</em>');
+    html = html.replace(/(?<!\w)_([^_\n]+)_(?!\w)/g, '<em>$1</em>');
+
+    // Links [text](url)
+    html = html.replace(/\[([^\]]+)\]\(([^)]+)\)/g, '<a href="$2" target="_blank" rel="noopener noreferrer">$1</a>');
+
+    // Ungeordnete Listen (- oder * am Zeilenanfang)
+    html = html.replace(/^(?:- |\* )(.+)$/gm, '<li>$1</li>');
+    html = html.replace(/((?:<li>.*<\/li>\n?)+)/g, '<ul>$1</ul>');
+
+    // Geordnete Listen (1. am Zeilenanfang)
+    html = html.replace(/^\d+\. (.+)$/gm, '<oli>$1</oli>');
+    html = html.replace(/((?:<oli>.*<\/oli>\n?)+)/g, (match) => {
+      return '<ol>' + match.replace(/<\/?oli>/g, (tag) => tag.replace('oli', 'li')) + '</ol>';
+    });
+
+    // Leere Zeilen als Absatz-Trennung
+    html = html.replace(/\n\n+/g, '</p><p>');
+
+    // Einfache Zeilenumbrueche (ausser in pre/code und nach Block-Elementen)
+    html = html.replace(/(?<!<\/h[123]>|<\/li>|<\/ul>|<\/ol>|<\/pre>|<\/p>|<p>)\n(?!<h[123]|<li>|<ul>|<ol>|<pre>|<\/p>|<p>)/g, '<br>');
+
+    // In Absatz einwickeln
+    html = '<p>' + html + '</p>';
+
+    // Leere Absaetze entfernen
+    html = html.replace(/<p>\s*<\/p>/g, '');
+
+    // Block-Elemente nicht in <p> einwickeln
+    html = html.replace(/<p>\s*(<(?:h[123]|ul|ol|pre|blockquote)[\s>])/g, '$1');
+    html = html.replace(/(<\/(?:h[123]|ul|ol|pre|blockquote)>)\s*<\/p>/g, '$1');
+
+    return html;
+  }
+
  // ==========================================
  // UTILITIES
  // ==========================================
--- a/frontend/sw.js
+++ b/frontend/sw.js
@@ -4,7 +4,7 @@
 * Offline support and caching
 */

-const CACHE_VERSION = '391';
+const CACHE_VERSION = '392';
 const CACHE_NAME = 'taskmate-v' + CACHE_VERSION;
 const STATIC_CACHE_NAME = 'taskmate-static-v' + CACHE_VERSION;
 const DYNAMIC_CACHE_NAME = 'taskmate-dynamic-v' + CACHE_VERSION;