Markdown fixes #1632
Closed
Markdown fixes #1632
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This is mostly better than the PR i sent at #1633 But i notice it also an incomplete fix as it doesn't fix including untrusted data via {{{signature}}}. |
|
I'm not sure that I'm actually addressing your XSS concerns, because this fix requires the content being passed to marked to be unescaped first. I wasn't directly considering XSS here, but it's certainly a related issue. As a result, I only changed handlebars expressions inside markdown classes, since at the time I wasn't sure whether things like {{{signature}}} were that way for a reason. |
|
As our focus is on 3.0, this is no longer needed. Thanks for taking the time to submit this PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes the issues with markdown that I detailed in #1622. This should also close #1332 and #1491.
The first is a fix for markdown code blocks that contain xml or html. Inserting the raw markdown into the DOM treats this xml/html as part of the document, leading to problems. My fix is to let handlebars escape the markdown and then unescape it when calling marked. Using html outside of code blocks still works as intended.
The second is to only call marked within the specified dom_id. This is important when loading multiple SwaggerUI instances on the same page, as the current code will call marked multiple times on the same content.