-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: HTML is being escaped #4007
Comments
Same issue as https://tiptap.dev/api/utilities/html |
This forced escaping is really onerous for known safe HTML. It increases the size of documents by 50% in some cases. |
@robertu7 can you explain what you mean? |
Can anyone explain where this behavior originates? |
Somebody please tell me Tiptap does NOT have yet another built-in crack ass sanitization. |
any update? how to disable? |
If the HTML is not valid to the schema set by the extensions, then prosemirror can either strip the HTML (so that the schema is enforced) or make the content be escaped like this. I do not see why this would be incorrect behavior and is the right thing to do for HTML. The user should not be able to write HTML into an editor instance and have it be parsed as valid content and render as proper HTML. I think safety is much more important than content size, it is just 2 more chars per angle bracket. If you don't like the HTML output you can see how this method works here:
.innerHTML will escape the content by default
|
@nperez0111 the issue here (which doesn't affect us anymore) is more like if you put already escaped HTML into an attribute, it would get double escaped (I believe.) |
Which packages did you experience the bug in?
https://tiptap.dev/guide/output#option-2-html has the bug too
What Tiptap version are you using?
2.0.3
What’s the bug you are facing?
Wow, this <img onerror=alert(999) /> editor instance exports its content as HTML.
""<p>Wow, this <img onerror=alert(999) /> editor instance exports its content as HTML.</p>"
The bug is that TipTap shouldn't be escaping HTML without a configuration that tells it to so (how can I turn it off?). I use another lib to sanitize my HTML inputs and when TipTap escapes HTML my sanitization lib will leave strings in that are dangerous, i.e. onerror=alert(999). This is because TipTap escaped the <img tag so my sanitization lib doesn't remove unallowed attributes from the img tag, bc there is no img tag.
I know this is intentional but how can I get TipTap to stop escaping my HTML? Please and thanks
What browser are you using?
Chrome
Code example
https://tiptap.dev/guide/output#option-2-html
What did you expect to happen?
I want access to my raw HTML, please.
Anything to add? (optional)
I love the product, great work team.
Did you update your dependencies?
Are you sponsoring us?
The text was updated successfully, but these errors were encountered: