[Bug]: HTML is being escaped

[DanielDwyer]

Which packages did you experience the bug in?

https://tiptap.dev/guide/output#option-2-html has the bug too

What Tiptap version are you using?

2.0.3

What’s the bug you are facing?

1. Go to: https://tiptap.dev/guide/output#option-2-html
2. Go to the 'Use this interactive example to fiddle around:' section
3. Update the example text to read: "Wow, this <img onerror=alert(999) /> editor instance exports its content as HTML."
4. View the HTML (from .getHTML()), it reads: "<p>Wow, this &lt;img onerror=alert(999) /&gt; editor instance exports its content as HTML.</p>"

The bug is that TipTap shouldn't be escaping HTML without a configuration that tells it to so (how can I turn it off?). I use another lib to sanitize my HTML inputs and when TipTap escapes HTML my sanitization lib will leave strings in that are dangerous, i.e. onerror=alert(999). This is because TipTap escaped the <img tag so my sanitization lib doesn't remove unallowed attributes from the img tag, bc there is no img tag.

I know this is intentional but how can I get TipTap to stop escaping my HTML? Please and thanks

What browser are you using?

Chrome

Code example

https://tiptap.dev/guide/output#option-2-html

What did you expect to happen?

I want access to my raw HTML, please.

Anything to add? (optional)

I love the product, great work team.

Did you update your dependencies?

• Yes, I’ve updated my dependencies to use the latest version of all packages.

Are you sponsoring us?

• Yes, I’m a sponsor. 💖

[robertu7]

Same issue as https://tiptap.dev/api/utilities/html

[Nantris]

This forced escaping is really onerous for known safe HTML. It increases the size of documents by 50% in some cases.

[Nantris]

@robertu7 can you explain what you mean?

[Nantris]

Can anyone explain where this behavior originates?

[KazimirPodolski]

Somebody please tell me Tiptap does NOT have yet another built-in crack ass sanitization.

[kazrude]

any update? how to disable?

[nperez0111]

If the HTML is not valid to the schema set by the extensions, then prosemirror can either strip the HTML (so that the schema is enforced) or make the content be escaped like this. I do not see why this would be incorrect behavior and is the right thing to do for HTML. The user should not be able to write HTML into an editor instance and have it be parsed as valid content and render as proper HTML.

I think safety is much more important than content size, it is just 2 more chars per angle bracket.

If you don't like the HTML output you can see how this method works here:

tiptap/packages/html/src/getHTMLFromFragment.ts

Line 23 in b941eea

return wrap.innerHTML

.innerHTML will escape the content by default

[Nantris]

@nperez0111 the issue here (which doesn't affect us anymore) is more like if you put already escaped HTML into an attribute, it would get double escaped (I believe.)