-
-
Notifications
You must be signed in to change notification settings - Fork 318
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove source
element as HTML block start condition
#710
Remove source
element as HTML block start condition
#710
Conversation
Side note, not sure if I should update the changelog file in my PR too or if that happens separately? |
Wouldn’t Condition 7 (https://spec.commonmark.org/0.30/#html-blocks) still mess up the markup in the original question (note that “open tag” in CM includes self-closing aka “void” tags), defeating the purpose of this as a solution for it? |
@wooorm That is indeed an interesting point and I agree that the spec could be read that way 🤔 |
Condition 7 only kicks in for a complete tag on a line by itself. In the examples in the original discussion, the tag is not complete because it continues on the next line. |
Hmm, I think it’s the interruption which Condition 7 doesn’t do:
|
pkgsrc change: remove pkglint warning. 0.29.0.gfm.1 (2021-09-14) * Fixed denial of service bug in GFM's table extension per GHSA-7gc6-9qr5-hc85 0.29.0.gfm.2 (2021-09-16) * Fixed issues with footnote rendering when used with the autolinker (#121), and when footnotes are adjacent (#139). * We now allow footnotes to be referenced from inside a footnote definition, we use the footnote label for the fnref href text when rendering html, and we insert multiple backrefs when a footnote has been referenced multiple times (#229, #230) * We added new data- attributes to footnote html rendering to make them easier to style (#234) 0.29.0.gfm.3 (2022-03-03) * Fixed heap memory corruption vulnerabiliy via integer overflow per GHSA-mc3g-88wq-6f4x 0.29.0.gfm.4 (2022-05-31) * Remove source from list of HTML block elements per commonmark/commonmark-spec#710 0.29.0.gfm.5 (2022-08-25) * Added xmpp: and mailto: support to the autolink extension 0.29.0.gfm.6 (2022-09-15) * Fixed polynomial time complexity DoS vulnerability in autolink extension per GHSA-cgh3-p57x-9q7q 0.29.0.gfm.7 (2023-01-23) * Fixed CVE-2023-22486, a polynomial time complexity issue in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service. * Fixed CVE-2023-22485, in which a crafted markdown document could trigger an out-of-bounds read in the validate_protocol function. * Fixed CVE-2023-22484, a polynomial time complexity issue in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service. * Fixed CVE-2023-22483, several polynomial time complexity issues in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service. * We removed an unneeded .DS_Store file (#291) * We added a test for domains with underscores and fix roundtrip behavior (#292) * We now use an up-to-date clang-format (#294) * We made a variety of implicit integer truncations explicit by moving to size_t as our standard size integer type (#302) * We introduced a new flag mechanism that is used in cmark node state management, which requires clients call the cmark_init_standard_node_flags function at program startup (420c20a) The security issues were reported and resolved by @kevinbackhouse and @philipturnbull of the GitHub Security Lab 0.29.0.gfm.8 (2023-01-25) * We restored backwards compatibility by deprecating the cmark_init_standard_node_flags() requirement, which is now a noop (#305) * We added a quadratic complexity fuzzing target (#304) 0.29.0.gfm.9 Latest (2023-01-31) Code was tidied: * Use of a private header was cleaned up #248 * Man page was update #255 * Warnings for -Wstrict-prototypes were cleaned up #285 * We avoid header duplication #289 New functionality: * We now store positioning info for url_match #201 * We now expose cmark_parent_footnote_def for non-C renderers #254 * Footnote aria-label text now reference the specific footnote backref, and we include a data-footnote-backref-idx attribute so the label can be internationalized in a downstream filter #307
Following up on a conversation on talk.commonmark.org, I'm proposing to update the spec to remove the
source
element as a start condition for HTML blocks.During my research, I could not find any supporting evidence that it should be starting an HTML block and the fact that it currently does is causing difficult issues when trying to render
<video>
,<audio>
, or<picture>
tags. More details are also in the linked discussion.