Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release v0.7.0 #1519

Merged
merged 1 commit into from Jul 6, 2019
Merged

Release v0.7.0 #1519

merged 1 commit into from Jul 6, 2019

Conversation

@UziTech
Copy link
Member

UziTech commented Jul 5, 2019

Release Notes


Security

  • Sanitize paragraph and text tokens #1504
  • Fix ReDOS for links with backticks (issue #1493) #1515

Breaking Changes

  • Deprecate sanitize and sanitizer options #1504
  • Move fences to CommonMark #1511
  • Move tables to GFM #1511
  • Remove tables option #1511
  • Single backtick in link text needs to be escaped #1515

Fixes

Tests

  • Run tests with correct options #1511

Publisher

  • $ npm version has been run.
  • Release notes in draft GitHub release are up to date
  • Release notes include which flavors and versions of Markdown are supported by this release
  • Committer checklist is complete.
  • Merge PR.
  • Publish GitHub release using master with correct version number.
  • $ npm publish has been run.
  • Create draft GitHub release to prepare next release.

Note: If merges to master occur after submitting this PR and before running $ npm pubish you should be able to

  1. pull from upstream/master (git pull upstream master) into the branch holding this version,
  2. run $ npm run build to regenerate the min file, and
  3. commit and push the updated changes.

Committer

In most cases, this should be someone different than the publisher.

  • Version in package.json has been updated (see PUBLISHING.md).
  • The marked.min.js has been updated; or,
  • release does not change library.
  • CI is green (no forced merge required).
@UziTech UziTech requested review from davisjam, joshbruce and styfle Jul 5, 2019
@styfle
styfle approved these changes Jul 5, 2019
Copy link
Member

styfle left a comment

:shipit:

Copy link
Contributor

davisjam left a comment

Lots of good stuff in here!

@UziTech UziTech merged commit 26ae990 into markedjs:master Jul 6, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@azu

This comment has been minimized.

Copy link

azu commented Jul 6, 2019

Deprecate sanitize and sanitizer options #1504

Is sanitizer option deprecated?
#1504 affect only sanitize option?

Its my error. sanitizer option work with sanitize option.

Also, I think that release note or documentation should includes migration guide from sanitize to sanitize library. The release note and documentation have an lack of concrete example code.

@UziTech

This comment has been minimized.

Copy link
Member Author

UziTech commented Jul 7, 2019

@azu the documentation for the sanitize option lists a few other libraries that do a much better job sanitizing html.

@azu

This comment has been minimized.

Copy link

azu commented Jul 10, 2019

@UziTech Yes, I know.

I've tried to use marked@0.7 and DOMPurify, but this combination has a bit complex context.
Because, DOMPurify does not work on Node.js without jsdom.

  • marked is universal/isomophic library
  • DOMPurify is not universal/isomophic library
    • It require jsdom for Node.js

The browser enviroment does not need jsdom, but Node.js env does need jsdom.
It require a bit complex code.

if(THIS_ENV_IS_NODE){
  return marked + dompurify + jsdom
} else{
  return marked + dompurify
}

So, I've created a wrapper library for optimizing Browser and Node.js.

safe-marked is a wrapper library of marked, DOMPurify, and jsdom.
Also, safe-marked define 'browser' field in package.json for optimizing browser bundle.
The browser entry point does not include jsdom.

This wrapper aim to reduce pacakge size for browser.

  package           size      minified  gzipped
  safe-marked       90.15 KB  39.36 KB  13.82 KB (browser bundle size)
  marked@0.7.0      45.05 KB  23.87 KB  7.87 KB
  dompurify@1.0.11  45.21 KB  15.3 KB   5.99 KB
  
  # Other Markdown library  
  markdown-it@9.0.0  325.52 KB  92.69 KB  32.77 KB
  showdown@1.9.0     157.28 KB  71.06 KB  23.55 KB

Conclusion

The documentation just say following

Marked does not sanitize the output HTML. Please use a sanitize library, like DOMPurify (recommended), sanitize-html or insane on the output HTML! 🚨

Afte using marked + DOMPurify, I feed that it is hard to use marked safety.
I think that we need to improve documentation about the usage of sanitizing.
Or just come back to support sanitize option...

However, The documentation is not fundamental solution.

Thanks.


📝 Note: The size of recommentation libraries :

sanitize-html is too large. insane looks like that is not maintained and have some problem.
So, I've selected DOMPurify. DOMPurify is maintained by security company.

  package               size      minified   gzipped
  dompurify@1.0.11      45.21 KB  15.3 KB    5.99 KB
  sanitize-html@1.20.1  1.02 MB   210.06 KB  64.81 KB
  insane@2.6.2          18.61 KB  4.64 KB    1.9 KB

Also, I love package size of marked ❤️

@UziTech

This comment has been minimized.

Copy link
Member Author

UziTech commented Jul 10, 2019

I think that we need to improve documentation about the usage of sanitizing.

We are always taking pull requests 😁

@UziTech UziTech deleted the UziTech:Release-0.7.0 branch Sep 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.