Double-click drawing to edit functionality does not work using the markdown on Safari #1451

New Issue

Open

opened 2026-02-05 00:56:16 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-05 00:56:16 +03:00

Owner

Copy Link

Originally created by @mkrzysztofowicz on GitHub (Nov 14, 2019).

I can't seem to find a way, when using Markdown editor, to edit an existing draw.io drawing. I can add a new drawing, but after it was added, can't seem to find a way to edit it.

I know cmd + click Insert Drawing opens the Drawing Manager which allows me to select a drawing to be inserted into the document or delete a drawing, however it seems there's no way to edit an existing drawing.

This functionality IS available in the WYSIWYG editor.

Am I missing something or is this feature in fact not there yet?

Running BookStackApp 0.27.5 on CentOS 7.6 with NGINX and php-fpm, with php 7.2.24 from remi-repos.

Thanks!

Originally created by @mkrzysztofowicz on GitHub (Nov 14, 2019). I can't seem to find a way, when using Markdown editor, to edit an existing draw.io drawing. I can add a new drawing, but after it was added, can't seem to find a way to edit it. I know `cmd + click` Insert Drawing opens the Drawing Manager which allows me to select a drawing to be inserted into the document or delete a drawing, however it seems there's no way to edit an existing drawing. This functionality *IS* available in the WYSIWYG editor. Am I missing something or is this feature in fact not there yet? Running BookStackApp 0.27.5 on CentOS 7.6 with NGINX and php-fpm, with php 7.2.24 from remi-repos. Thanks!

OVERLORD added the 🐛 Bug🔒 Security💻 Front-End labels 2026-02-05 00:56:16 +03:00

OVERLORD commented 2026-02-05 00:56:21 +03:00

Author

Owner

Copy Link

@lommes commented on GitHub (Nov 15, 2019):

As mentioned in #1127:

Edit the page and double click the image in the markdown preview

I did not know this until now, too

@lommes commented on GitHub (Nov 15, 2019): As mentioned in #1127: Edit the page and double click the image in the markdown preview I did not know this until now, too

OVERLORD commented 2026-02-05 00:56:29 +03:00

Author

Owner

Copy Link

@mkrzysztofowicz commented on GitHub (Nov 15, 2019):

Ah, OK. It doesn't seem to work in Safari on macOS, however it DOES work in Firefox on macOS.

I'm running macOS Catalina 10.15.1 and Safari 13.0.3 (15608.3.10.1.4).

What's interesting is that using the WYSIWYG editor on the exact same computer (macOS 10.15.1 and Safari 13.0.3 as above) does seem to allow double-click to edit an image.

So, to make sure this is clear, following is the scenario for macOS Catalina 10.15.1 and Safari 13.0.3:

Describe the bug
Editing draw.io diagrams doesn't work in Markdown editor when using Safari 13.0.3 on macOS Catalina 10.15.1.

• note, editing in WYSIWYG editor using macOS Catalina 10.15.1 and Safari 13.0.3 does work
• note, editing in Markdown editor using macOS Catalina 10.15.1 and Firefox 70.0.1 does work

Steps to reproduce

1. Create a new Book Page with macOS and Safari, using Markdown editor
2. Click "Insert Drawing" and draw a simple diagram with draw.io
3. Click File / Save to insert the diagram into your Book Page and to bring you back to Markdown Editor
4. In the Preview pane, double-click on your diagram with the intention to edit it - nothing happens. The image is surrounded by a blue frame when you hover the mouse over it, but double click does nothing
   • when looking at the Web Inspector, I can see the following message in the Console after the double click: Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

Expected behaviour
Double clicking on the diagram in the preview pane of the Markdown editor opens the diagram in draw.io for editing

Your Configuration (please complete the following information):
Server:

• Exact BookStack Version (Found in settings): v0.27.5
• CentOS Linux release 7.7.1908 (Core)
• PHP 7.2.24 (cli) (built: Oct 22 2019 11:15:01) ( NTS ) from remi-php72 repo
• PHP 7.2.24 (fpm-fcgi) (built: Oct 22 2019 11:16:17) from remi-php72 repo
• nginx version: nginx/1.16.1

Client:

• MacBook Pro 13" with TouchBar, 2017 model
• macOS Catalina 10.15.1
• Safari 13.0.3

@mkrzysztofowicz commented on GitHub (Nov 15, 2019): Ah, OK. It doesn't seem to work in Safari on macOS, however it DOES work in Firefox on macOS. I'm running macOS Catalina 10.15.1 and Safari 13.0.3 (15608.3.10.1.4). What's interesting is that using the WYSIWYG editor on the exact same computer (macOS 10.15.1 and Safari 13.0.3 as above) does seem to allow double-click to edit an image. So, to make sure this is clear, following is the scenario for **macOS Catalina 10.15.1** and **Safari 13.0.3**: **Describe the bug** Editing draw.io diagrams doesn't work in Markdown editor when using Safari 13.0.3 on macOS Catalina 10.15.1. * note, editing in WYSIWYG editor using macOS Catalina 10.15.1 and Safari 13.0.3 **does** work * note, editing in Markdown editor using macOS Catalina 10.15.1 and Firefox 70.0.1 **does** work **Steps to reproduce** 1. Create a new Book Page with macOS and Safari, using Markdown editor 2. Click "Insert Drawing" and draw a simple diagram with draw.io 3. Click File / Save to insert the diagram into your Book Page and to bring you back to Markdown Editor 4. In the Preview pane, double-click on your diagram with the intention to edit it - **nothing happens**. The image is surrounded by a blue frame when you hover the mouse over it, but double click does nothing - when looking at the Web Inspector, I can see the following message in the Console after the double click: `Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.` **Expected behaviour** Double clicking on the diagram in the preview pane of the Markdown editor opens the diagram in draw.io for editing **Your Configuration (please complete the following information):** Server: * Exact BookStack Version (Found in settings): v0.27.5 * CentOS Linux release 7.7.1908 (Core) * PHP 7.2.24 (cli) (built: Oct 22 2019 11:15:01) ( NTS ) from remi-php72 repo * PHP 7.2.24 (fpm-fcgi) (built: Oct 22 2019 11:16:17) from remi-php72 repo * nginx version: nginx/1.16.1 Client: * MacBook Pro 13" with TouchBar, 2017 model * macOS Catalina 10.15.1 * Safari 13.0.3

OVERLORD commented 2026-02-05 00:56:34 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 15, 2019):

Hi @mkrzysztofowicz, Thanks for the details information above.

In a recent release I updated the markdown preview to be inside a sandboxed iframe to prevent any potential malicious scripts from being allowed to run if ever inserted.

While sandboxed against scripts, Chrome/FireFox/IE/Edge all allow us to still handle events inside the preview via script created outside of the sandbox to handle actions such as drawing click. Unfortunately Safari/Webkit behaves differently in this regard and seems to block all scripts and events. The WYSWIG editor does not have this security feature since it generally does a lot more filtering of input itself.

I think we'd need to use a different security feature, CSP, to disable potentially malicious scripts in a full cross-browser compatible way. This would generally make many of areas of BookStack much more secure but is a larger undertaking, since it has a wider impact that needs to be considered and it'll need to be compatible with admin-specific customizations.

I'll update the title of this issue to be specific to the issue of not being able to edit images in Safari when using the Markdown editor.

@ssddanbrown commented on GitHub (Nov 15, 2019): Hi @mkrzysztofowicz, Thanks for the details information above. In a recent release I updated the markdown preview to be inside a sandboxed iframe to prevent any potential malicious scripts from being allowed to run if ever inserted. While sandboxed against scripts, Chrome/FireFox/IE/Edge all allow us to still handle events inside the preview via script created outside of the sandbox to handle actions such as drawing click. Unfortunately Safari/Webkit behaves differently in this regard and seems to block all scripts and events. The WYSWIG editor does not have this security feature since it generally does a lot more filtering of input itself. I think we'd need to use a different security feature, [CSP](https://content-security-policy.com/), to disable potentially malicious scripts in a full cross-browser compatible way. This would generally make many of areas of BookStack much more secure but is a larger undertaking, since it has a wider impact that needs to be considered and it'll need to be compatible with admin-specific customizations. I'll update the title of this issue to be specific to the issue of not being able to edit images in Safari when using the Markdown editor.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

No Label 🐛 Bug 💻 Front-End 🔒 Security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1451