Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

script tag not work when using htmlParser plugin #562

Closed
maltoze opened this issue Apr 8, 2021 · 1 comment · Fixed by #563
Closed

script tag not work when using htmlParser plugin #562

maltoze opened this issue Apr 8, 2021 · 1 comment · Fixed by #563
Labels
🙋 no/question This does not need any changes

Comments

@maltoze
Copy link

maltoze commented Apr 8, 2021

Subject of the issue

script tag not work when using htmlParser plugin

Your environment

  • OS:
  • Packages:
  • Env:

Steps to reproduce

https://codesandbox.io/s/admiring-river-5ekyn?file=/src/App.js

import React from "react";
import ReactMarkdown from "react-markdown";
import htmlParser from "react-markdown/plugins/html-parser";

const parseHtml = htmlParser({
  isValidNode: () => true
});

const content = `
This is some paragraph text. 
  - This is a bullet point 
 - This is another one 
 - And a third 

<script>
console.log('hi');
alert('script');
</script>
`;

export default function App() {
  return (
    <div className="App">
      <ReactMarkdown
        source={content}
        escapeHtml={false}
        astPlugins={[parseHtml]}
      />
    </div>
  );
}

Expected behavior

script tag should be work?

Actual behavior

script tag not work
@maltoze maltoze added 🐛 type/bug This is a problem 🙉 open/needs-info This needs some more info labels Apr 8, 2021
@wooorm
Copy link
Member

wooorm commented Apr 8, 2021

How should script tags work in react? That's a massive security vulnerability

@wooorm wooorm mentioned this issue Apr 9, 2021
Merged
wooorm added a commit that referenced this issue Apr 12, 2021
@wooorm
Replace renderers w/ components, remove HTML parser from core (#563)
77c680f 
* Replace `renderers` w/ `components`
* Replace `allowNode` w/ `allowElement`, which is now given a hast element (as
  the first parameter)
* Replace `allowedTypes` w/ `allowedElements`
* Replace `disallowedTypes` w/ `disallowedElements`
* Change signature of `linkTarget` and `transformLinkUri`, which are now given
  hast children (as the second parameter)
* Change signature of `transformImageUri`, which is now given the `alt` string
  as the second parameter (instead of the fourth)
* Replace `plugins` w/ `remarkPlugins` (backwards compatible change)
* Add `rehypePlugins`
* Change `includeNodeIndex` to `includeElementIndex`: it still sets an `index`,
  but that value now represents the number of preceding elements, it also sets a
  `siblingCount` (instead of `parentChildCount`) with the number of sibling
  elements in the parent
* The `columnAlignment` prop is no longer given to table elements: it’s
  available as `style` on `th` and `td` elements instead
* The `spread` prop is no longer given to list elements: it’s already handled

Remove buggy HTML parsers from core

* If you want HTML, add [`rehype-raw`](https://github.com/rehypejs/rehype-raw)
  to `rehypePlugins` and it’ll work without bugs!
* Remove `allowDangerousHtml` (previously called `escapeHtml`) option: pass
  `rehype-raw` in `rehypePlugins` to allow HTML instead
* Remove `with-html.js`, `plugins/html-parser.js` entries from library
* Remove naïve HTML parser too: either use `rehype-raw` to properly support
  HTML, or don’t allow it at all

Closes GH-549.
Closes GH-563.

The following issues are solved as rehype is now available:

Closes GH-522.
Closes GH-465.
Closes GH-427.
Closes GH-384.
Closes GH-356.

The following issues are solved as a proper HTML parser (`rehype-raw`) is now
available:

Closes GH-562.
Closes GH-460.
Closes GH-454.
Closes GH-452.
Closes GH-433.
Closes GH-386.
Closes GH-385.
Closes GH-345.
Closes GH-320.
Closes GH-302.
Closes GH-267.
Closes GH-259.

The following issues are solved as docs are improved:

Closes GH-251.
@wooorm wooorm added 🙋 no/question This does not need any changes and removed 🐛 type/bug This is a problem 🙉 open/needs-info This needs some more info labels Apr 12, 2021
@xhofe xhofe mentioned this issue Aug 3, 2022
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🙋 no/question This does not need any changes
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Replace renderers w/ components, remove HTML parser from core remarkjs/react-markdown
2 participants
@wooorm @maltoze