I understand that Nextcloud does not want to display html files for security reasons. This is fine, but because Nextcloud does so well with files and search I would like to make my own app to view a sub-tree of static html files.
I have a large export of static html files (about 12k files) and would like to sync those to a Nextcloud folder and do something like whitelist that folder for a html browsing app. They don’t need to change and I know there is no security issues in them.
Could a custom app handle the linking though? They are all relative paths…
Is this going to be reasonably easy? I noticed that the URLs for each file always involve a fileId and not a file name. Is there a way to plugin in a viewer app that can reference these static files by name?
Sure would nice to have all our content together under elastic searching.
Thank you for any tips and guidance in the right direction.
Do you use a Managed Nextcloud or have you installed it on your own webserver? If you have installed on your own webserver you can use a second virtual webserver and host the websites with a normal webserver. If you want to use Nextcloud you can use local external storage and add the webserver html storage to your Nextcloud. But you must access it from your normal webserver.
Self hosted. The goal is to use the Elastic search in Nextcloud so that when a html file is found by searching, we can click into the file and start reading and browsing the links.
Nextcloud’s default behavior for clicking on an html file is to show the html (that is the security feature I mentioned). With 12k files there may be a lot of back and forth between being able to search and try and find material and looking into the search results to see if it is a match.
So, I could certainly host the files externally (in a folder and perhaps even in the web server), but I would like to re-direct the search results to that external web server. That may make it tricky to have a re-usable app to share with everyone else, but it might help get the job done.
I have to admit, I really don’t understand the, so called “security risk” here.
I get that if my html code (which does refer to external .js and .css files) has a malicious code or whatever it may break my NC instance. However isn’t this is the whole point of FOSS?
Why should I be able to open a terminal and run (with the right credentials, of course) something like:
sudo rm -rf /
and not embed a:
'DROP DATABASE `NextCloud`;'
in a .php if I wish to do so.
At the end it comes down to how much power you give your end user.
If all I want is to have an “HTML Viewer” app, which allows me to select an HTML file in a NC folder right click → open as → webpage, and keep it linked to .js and .css files as well as images, videos etc. there should be such option. It’s my responsibility to know and understand the dangers involved. As the root user, I should not allow for users to upload files and make them executable, if there is a chance for them to perform something malicious in my server.
Now, I am not claiming the NC team should bother with such (alleged) edge case. I do, however, would be happy to have the community’s help in building such app while keeping the NC team out of the way.
Notwithstanding, I am not claiming the same for hosted instances of NC, where you definitely should NOT be able to install and run such app. That been said, again, the responsibility of disabling the use of such app should be on the server (bare metal) owner and not in the hands of the NC team.
