-
Notifications
You must be signed in to change notification settings - Fork 28.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow style in span in markdown #97793
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like it, not sure if we need a two step approach. Now, because the marked sanitize is gone, extensionn can add iframes, img, div etc. Tho, I am also not sure why these things are listed here in the first place... @mjbvz please comment
@jrieken We actually have two sanitization passes currently, one from What worries me though is that by allowing markdown strings to use Github's sanitizer for markdown previews strips out |
Well, that's the point because with this PR we don't have that anymore and the questions is how we get to that again or why our current 2nd pass sanitizer looks/allows for |
I'm also very curious about why we're already letting Makes sense to be worried about markedOptions.sanitizer = (html: string): string => {
const permitted = /^<span style=\"(color\:#[0-9a-fA-F]+;)?(background-color\:#[0-9a-fA-F]+;)?\">[^<>]+<\/\s*span>$/;
const match = html.match(permitted);
return match ? html : '';
}; |
Sorry to butt in, but would you consider letting through all HTML tags allowed by GitHub's sanitization pipeline? Those are
afaict (source). |
@mjbvz wrt to security. Don't we have content security policies in place that protect us from this? |
@alexr00 Yes you'll need to be careful when removing the first sanitization pass because it may have sanitized things the second didn't. This should be unlikely. In the case of For this issue though, we could try using @jrieken It is always better to have multiple layers of protection and limit the potential attack surface where possible. @pfitzseb Please open a separate issue for that |
@mjbvz you added this line and I don't understand why
Sure, but it's better to know what one layer is doing and what the other isn't doing, e.g where we have hole or duplication. So, this was a question if you know what the CSPs do |
This would still involve deleting the |
@jrieken Those are the default settings for insane (just copied over so I could add a few more attributes). The allowed tags are separate from the allowed attributes. The current setting just says: if we allow iframes (which we don't) here are the allowed attributes for them. We can remove the line since it has no effect @alexr00 I'm good with removing My concern is just that allowing CSS brings up a number of other considerations:
My feeling is that we should think through this problem more and find some other potential use cases. Issues labels seem like a very specific use case |
Wouldn't rendering the content in a iframe and/or utilizing css containment such as |
I was actually reminded of another method that I have used for markdown in the past which is to just use an external css file that is included in then provide support using custom approved html elements instead. This can be quite a nice solution for this and allows defining some styles people can use in the markdown they provide you without exposing all styling.
I used css variables in this implementation since we did also allow setting them via html but that would then require the style prop so prob not ideal for this situation :). perhaps
I am not sure if the shortcut of not wrapping it was something custom or not, it has been awhile, but it renders: <blockquote>
<p><important> This API will be superseded by an all-new API in June 2020. It is not recommended to start
new development projects using this API. Documentation for the new API will be available prior to its release.</important></p>
</blockquote> :root {
--note: steelblue;
--important: red;
--warn: orange;
--tip: rgb(50, 189, 91);
--info: rgb(30, 153, 147);
}
blockquote {
color: #333333 !important;
position: relative;
box-shadow: 0px 0px 1px rgba(0, 0, 0, 0.2);
background-color: #fcfcfc;
padding: 20px !important;
margin-top: 15px !important;
margin-bottom: 15px !important;
border-left: 0 !important;
}
blockquote p {
margin: 0 !important;
margin-bottom: 5px !important;
margin-top: 5px !important;
padding-left: 5px !important;
}
blockquote li {
margin-top: 15px;
}
blockquote::before {
display: block;
content: "";
position: absolute;
left: 0;
top: 0;
bottom: 0;
width: 3px;
}
blockquote::before {
background-color: steelblue;
}
blockquote note::after,
blockquote tip::after,
blockquote important::after,
blockquote warn::after,
blockquote custom::after {
display: block;
content: "";
position: absolute;
left: 0;
top: 0;
bottom: 0;
width: 3px;
}
blockquote important::before {
content: var(--title, "IMPORTANT");
color: var(--color, var(--important));
}
blockquote important::after {
background-color: var(--color, var(--important));
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚢it
Part of #40607
Example of markdown that will use this:
Example of what that will look like: