fix(markdown): apply html sanitizer on markdownToHtml output (#2237)

Co-authored-by: ocavue <ocavue@gmail.com>
remirror · Feb 21, 2024 · 00a41e3 · 00a41e3 · github-actions · Feb 21, 2024
1 parent 68773ba
commit 00a41e3
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 61 deletions.
diff --git a/.changeset/twenty-yaks-brake.md b/.changeset/twenty-yaks-brake.md
@@ -0,0 +1,5 @@
+---
+'@remirror/extension-markdown': minor
+---
+
+Fix the html sanitizing on HTML output from markdown. Removed the default html sanitizer because it doesn't provide any security guarantees and it's not been called due to a bug in the markdown extension.
diff --git a/packages/remirror__extension-markdown/src/markdown-extension.ts b/packages/remirror__extension-markdown/src/markdown-extension.ts
@@ -20,7 +20,6 @@ import { DOMSerializer, Fragment } from '@remirror/pm/model';
 
 import { htmlToMarkdown } from './html-to-markdown';
 import { markdownToHtml } from './markdown-to-html';
-import { htmlSanitizer } from './markdown-utils';
 
 export interface MarkdownOptions {
   /**
@@ -38,13 +37,8 @@ export interface MarkdownOptions {
   markdownToHtml?: Static<(markdown: string, sanitizer?: (html: string) => string) => string>;
 
   /**
-   * Provide a sanitizer to prevent XSS attacks.
-   *
-   * The default sanitizer has **zero** security guarantees so it's recommended
-   * that you provide your own html sanitizer here.
-   *
-   * If you want to sanitize on the backend as well you will need to override
-   * this method.
+   * Provide a sanitizer to prevent XSS attacks. Remirror does not provide any
+   * sanitization by default.
    */
   htmlSanitizer?: Static<(html: string) => string>;
 
@@ -88,7 +82,7 @@ export interface MarkdownOptions {
   defaultOptions: {
     htmlToMarkdown,
     markdownToHtml,
-    htmlSanitizer,
+    htmlSanitizer: undefined,
     activeNodes: [ExtensionTag.Code],
     copyAsMarkdown: false,
   },

diff --git a/packages/remirror__extension-markdown/src/markdown-to-html.ts b/packages/remirror__extension-markdown/src/markdown-to-html.ts
@@ -32,5 +32,9 @@ marked.use({
  * Converts the provided markdown to HTML.
  */
 export function markdownToHtml(markdown: string, sanitizer?: (html: string) => string): string {
-  return marked(markdown, { gfm: true, smartLists: true, xhtml: true, sanitizer });
+  const html = marked(markdown, { gfm: true, smartLists: true, xhtml: true });
+  if (sanitizer) {
+    return sanitizer(html);
+  }
+  return html;
 }
diff --git a/packages/remirror__extension-markdown/src/markdown-utils.ts b/packages/remirror__extension-markdown/src/markdown-utils.ts