User Guide
Active content
Active content is a generic name for powerful features in Trilium, these range from customizing the UI to advanced scripting that can alter your notes or even your PC.
Safe import#
Active content problem of safety, especially when this active content comes from a third-party such as if it is downloaded from a website and then imported into Trilium.
When importing .zip archives into Trilium, safe mode is active by default which will try to prevent untrusted code from executing. For example, a custom widget needs the #widget label in order to function; safe import works by renaming that label to #disabled:widget.
Safe mode#
Sometimes active content can cause issues with the UI or the server, preventing it from functioning properly. Safe mode allows starting Trilium in such a way that active content is not loaded by default at start-up, allowing the user to fix the problematic scripts or widgets.
Types of active content#
These are the types of active content in Trilium, along with a few examples of what untrusted content of that type could cause:
| Name | Disabled on a safe import | Description | Potential risks of untrusted code |
|---|---|---|---|
| Front-end scripts | Yes | Allow running arbitrary code on the client (UI) of Trilium, which can alter the user interface. | A malicious script can execute server-side code, access un-encrypted notes or change their contents. |
| Custom Widgets | Yes | Can add new UI features to Trilium, for example by adding a new section in the Right Sidebar. | The UI can be altered in such a way that it can be used to extract sensitive information or it can simply cause the application to crash. |
| Backend scripts | Yes | Can run custom code on the server of Trilium (Node.js environment), with full access to the notes and the database. | Has access to all the unencrypted notes, but with full access to the database it can completely destroy the data. It also has access to execute other applications or alter the files and folders on the server). |
| Web View | Yes | Displays a website inside a note. | Can point to a phishing website which can collect the data (for example on a log in page). |
| Render Note | Yes | Renders custom content inside a note, such as a dashboard or a new editor that is not officially supported by Trilium. | Can affect the UI similar to front-end scripts or custom widgets since the scripts are not completely encapsulated, or they can act similar to a web view where they can collect data entered by the user. |
| Custom app-wide CSS | No | Can alter the layout and style of the UI using CSS, applied regardless of theme. | Generally less problematic than the rest of active content, but a badly written CSS can affect the layout of the application, requiring the use of Safe mode to be able to use the application. |
| Custom themes | No | Can change the style of the entire UI. | Similar to custom app-wide CSS. |
| Icon Packs | No | Introduces new icons that can be used for notes. | Generally are more contained and less prone to cause issues, but they can cause performance issues (for example if the icon pack has millions of icons in it). |
Active content badge#
Starting with v0.102.0, on the New Layout a badge will be displayed near the note title, indicating that an active content is detected. Clicking the badge will reveal a menu with various options related to that content type, for example to open the documentation or to configure the execution of scripts.
For some active content types, such as backend scripts with custom triggering conditions a toggle button will appear. This makes it possible to easily disable scripts or widgets, but also to re-enable them if an import was made with safe mode active.