feat(File Explorer): Add configurable local image rendering to Markdown previewer#47857
Open
st-gr wants to merge 1 commit into
Open
feat(File Explorer): Add configurable local image rendering to Markdown previewer#47857st-gr wants to merge 1 commit into
st-gr wants to merge 1 commit into
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This comment has been minimized.
This comment has been minimized.
Add a "Show local images" toggle in PowerToys Settings (File Explorer > Markdown) that allows the preview handler to render images referenced via relative paths from the markdown file's directory. Implementation: - HTMLParsingExtension: conditionally resolve local markdown images via virtual host URL with path traversal protection - MarkdownHelper: regex-rewrite relative src attributes in HTML img tags - WebView2: use SetVirtualHostNameToFolderMapping to serve local images via https://localmdimages/ virtual host - Settings UI: toggle in PowerPreviewPage.xaml with ViewModel binding - Handler Settings: read EnableMdLocalImages via SettingsUtils Security: - Default: OFF (existing behavior preserved) - Only images under the markdown file's directory tree are allowed - Remote URLs (http/https/data/javascript) always blocked - Path traversal blocked via Path.GetFullPath + StartsWith check - WebView2 scripts remain disabled (IsScriptEnabled = false) Fixes: microsoft#40787 Fixes: microsoft#3713 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
st-gr
force-pushed
the
feature/markdown-local-images
branch
from
58b36a5 to
f493c74
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SetVirtualHostNameToFolderMappingto securely serve local image filesFixes #40787
Fixes #3713
Security model
media/img.png)../../secret.png)Path.GetFullPath+StartsWithcheck failshttps://evil.com/track.png)IsScriptEnabled = false)Implementation
Two layers were blocking images:
HTMLParsingExtension.cs): replaced image URLs with#MarkdownPreviewHandlerControl.cs): returned HTTP 403 for all non-HTML requestsChanges:
HTMLParsingExtension: conditionally resolves markdownimages to virtual host URLs with path traversal protectionMarkdownHelper: regex-rewrites relativesrc=""in raw HTML<img>tags to virtual host URLsMarkdownPreviewHandlerControl: maps markdown directory viaSetVirtualHostNameToFolderMapping("localmdimages", dir, Allow)and allows those requests through the resource filterSettings.cs: readsEnableMdLocalImagesviaSettingsUtilsTest plan
and<img src="media/image.png">render→ blocked→ blocked🤖 Generated with Claude Code