Render html in heading

[UziTech]

Marked version: 0.8.1

Description

• Add html to TextRenderer for html in headings.
• Fix Slugger to remove html tags.

Fixes #1621

Contributor

• Test(s) exist to ensure functionality and minimize regression

Committer

In most cases, this should be a different person than the contributor.

• Draft GitHub release notes have been updated.
• CI is green (no forced merge required).
• Merge PR

[vercel]

This pull request is being automatically deployed with ZEIT Now (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://zeit.co/markedjs/markedjs/6rqwcwe36
✅ Preview: https://markedjs-git-fork-uzitech-render-html.markedjs.now.sh

[styfle]

Nice, thanks!

[UziTech]

@davisjam could you check that /<!?\/?[\w-]+(?: .*)?\/?>/g isn't vulnerable to redos?

[joshbruce]

Would like to hold off on my approval until @davisjam (or someone) can review for REDOS.

[Gerrit0]

According to http://redos-checker.surge.sh/, it is vulnerable, which makes sense since the lookahead can also match characters in [\w-]+. I suggest /<[!\/\w-].*?>/g, which provides mostly similar results without being vulnerable.

That said, both of these options break rather easily... regex isn't a good html parser. The <em> test added implies that the contents within a tag should be preserved... but what should be done here?

<a href="BREAK>" target="_blank">tag</a>

[UziTech]

?: isn't a look ahead. It is a non-capturing group. And http://redos-checker.surge.sh says <!?\/?[\w-]+(?: .*\/?>|\/?>) is not vulnerable which is the same as <!?\/?[\w-]+(?: .*)?\/?>.

safe-regex which is used by http://redos-checker.surge.sh just checks the star height of the regex so it has a lot of false positives. It is designed so if it says it is NOT vulnerable than you know it is safe but if it says it is vulnerable it still might not be vulnerable.

as for the <a href="BREAK>" target="_blank">tag</a> example CommonMark/GFM spec says '>' must be percent encoded in valid markdown so it is ok to assume '>' is the end of a tag.

[UziTech]

That being said your regex might be better since it is simpler. I would like to match GitHub but I don't know what regex GitHub uses for it's heading ids.

[UziTech]

I simplified the regex to /<[!\/a-z].*?>/ig so it must start with a !, /, or a letter to be considered an html tag.

@joshbruce this regex is definitely not vulnerable.

[joshbruce]

I’m finding myself being pulled to family and friends at the moment. Can we temporarily move to a single review model - as long as it doesn’t introduce a security vulnerability? Further, if it does, the only required review would be for the security piece?

[joshbruce]

Not in a position to complete second approves flow. @styfle??

[UziTech]

I got it.