Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release v0.7.0 #1519

Merged
merged 1 commit into from Jul 6, 2019
Merged

Release v0.7.0 #1519

merged 1 commit into from Jul 6, 2019

Conversation

@UziTech
Copy link
Member

@UziTech UziTech commented Jul 5, 2019

Release Notes


Security

  • Sanitize paragraph and text tokens #1504
  • Fix ReDOS for links with backticks (issue #1493) #1515

Breaking Changes

  • Deprecate sanitize and sanitizer options #1504
  • Move fences to CommonMark #1511
  • Move tables to GFM #1511
  • Remove tables option #1511
  • Single backtick in link text needs to be escaped #1515

Fixes

Tests

  • Run tests with correct options #1511

Publisher

  • $ npm version has been run.
  • Release notes in draft GitHub release are up to date
  • Release notes include which flavors and versions of Markdown are supported by this release
  • Committer checklist is complete.
  • Merge PR.
  • Publish GitHub release using master with correct version number.
  • $ npm publish has been run.
  • Create draft GitHub release to prepare next release.

Note: If merges to master occur after submitting this PR and before running $ npm pubish you should be able to

  1. pull from upstream/master (git pull upstream master) into the branch holding this version,
  2. run $ npm run build to regenerate the min file, and
  3. commit and push the updated changes.

Committer

In most cases, this should be someone different than the publisher.

  • Version in package.json has been updated (see PUBLISHING.md).
  • The marked.min.js has been updated; or,
  • release does not change library.
  • CI is green (no forced merge required).
@UziTech UziTech requested review from davisjam, joshbruce and styfle Jul 5, 2019
styfle
styfle approved these changes Jul 5, 2019
Copy link
Member

@styfle styfle left a comment

:shipit:

Copy link
Contributor

@davisjam davisjam left a comment

Lots of good stuff in here!

@UziTech UziTech merged commit 26ae990 into markedjs:master Jul 6, 2019
1 check passed
@azu
Copy link

@azu azu commented Jul 6, 2019

Deprecate sanitize and sanitizer options #1504

Is sanitizer option deprecated?
#1504 affect only sanitize option?

Its my error. sanitizer option work with sanitize option.

Also, I think that release note or documentation should includes migration guide from sanitize to sanitize library. The release note and documentation have an lack of concrete example code.

@UziTech
Copy link
Member Author

@UziTech UziTech commented Jul 7, 2019

@azu the documentation for the sanitize option lists a few other libraries that do a much better job sanitizing html.

@azu
Copy link

@azu azu commented Jul 10, 2019

@UziTech Yes, I know.

I've tried to use marked@0.7 and DOMPurify, but this combination has a bit complex context.
Because, DOMPurify does not work on Node.js without jsdom.

  • marked is universal/isomophic library
  • DOMPurify is not universal/isomophic library
    • It require jsdom for Node.js

The browser enviroment does not need jsdom, but Node.js env does need jsdom.
It require a bit complex code.

if(THIS_ENV_IS_NODE){
  return marked + dompurify + jsdom
} else{
  return marked + dompurify
}

So, I've created a wrapper library for optimizing Browser and Node.js.

safe-marked is a wrapper library of marked, DOMPurify, and jsdom.
Also, safe-marked define 'browser' field in package.json for optimizing browser bundle.
The browser entry point does not include jsdom.

This wrapper aim to reduce pacakge size for browser.

  package           size      minified  gzipped
  safe-marked       90.15 KB  39.36 KB  13.82 KB (browser bundle size)
  marked@0.7.0      45.05 KB  23.87 KB  7.87 KB
  dompurify@1.0.11  45.21 KB  15.3 KB   5.99 KB
  
  # Other Markdown library  
  markdown-it@9.0.0  325.52 KB  92.69 KB  32.77 KB
  showdown@1.9.0     157.28 KB  71.06 KB  23.55 KB

Conclusion

The documentation just say following

Marked does not sanitize the output HTML. Please use a sanitize library, like DOMPurify (recommended), sanitize-html or insane on the output HTML! 🚨

Afte using marked + DOMPurify, I feed that it is hard to use marked safety.
I think that we need to improve documentation about the usage of sanitizing.
Or just come back to support sanitize option...

However, The documentation is not fundamental solution.

Thanks.


📝 Note: The size of recommentation libraries :

sanitize-html is too large. insane looks like that is not maintained and have some problem.
So, I've selected DOMPurify. DOMPurify is maintained by security company.

  package               size      minified   gzipped
  dompurify@1.0.11      45.21 KB  15.3 KB    5.99 KB
  sanitize-html@1.20.1  1.02 MB   210.06 KB  64.81 KB
  insane@2.6.2          18.61 KB  4.64 KB    1.9 KB

Also, I love package size of marked ❤️

@UziTech
Copy link
Member Author

@UziTech UziTech commented Jul 10, 2019

I think that we need to improve documentation about the usage of sanitizing.

We are always taking pull requests 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants