Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not sanitise the original comment markdown #1426

Merged
merged 1 commit into from
Jul 21, 2022
Merged

Do not sanitise the original comment markdown #1426

merged 1 commit into from
Jul 21, 2022

Conversation

paskal
Copy link
Collaborator

@paskal paskal commented Jul 21, 2022

Previously it was sanitised using the HTML sanitiser, but it had proven troublesome and unnecessary. Remark42 rendered the markdown into proper HTML, but then some pieces of it (like cited HTML code inside the code block, marked by backticks) were cut out, which then showed the incorrect markdown to a user when they were editing the comment.

For example, the comment "`foo<bar>`" became "foo" after sanitising, and despite the proper render user saw only "foo" when editing the comment.

After this change, the initial comment markdown is preserved unaltered. It could contain dangerous HTML with JS, which I assume shouldn't be a problem as it's never rendered as HTML but instead supposed to be converted to HTML by the interpreter. In Remark42, it's stored in a comment.Text field and sanitised and thus safe.

I've left information about the potential danger of rendering the original markdown as-is without an interpreter in all relevant places I could find.

Resolves #1292.

@paskal
do not sanitise the original comment markdown
2449537 
Previously it was sanitised using the HTML sanitiser,
but it had proven troublesome and unnecessary.
Remark42 rendered the markdown into proper HTML, but then some pieces
of it (like cited HTML code inside the code block, marked by backticks)
were cut out, which then showed the incorrect markdown to a user when
they were editing the comment.

For example, the comment "`foo<bar>`" became "foo" after sanitising,
and despite the proper render user saw only "foo" when editing
the comment.

After this change, the initial comment markdown is preserved unaltered.
It could contain dangerous HTML with JS, which I assume shouldn't
be a problem as it's never rendered as HTML but instead supposed
to be converted to HTML by the interpreter. In Remark42, it's stored
in a comment.Text field and sanitised and thus safe.

I've left information about the potential danger of rendering
the original markdown as-is without an interpreter in
all relevant places I could find.
@paskal paskal added the backend label Jul 21, 2022
@paskal paskal added this to the v1.10.2 milestone Jul 21, 2022
@paskal paskal requested a review from umputun as a code owner July 21, 2022 21:07
@coveralls
Copy link

Pull Request Test Coverage Report for Build 2714707481

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.03%) to 84.083%
Totals Coverage Status
Change from base Build 2701444789: 0.03%
Covered Lines: 5742
Relevant Lines: 6829
💛 - Coveralls

umputun
umputun approved these changes Jul 21, 2022
View reviewed changes
Copy link
Owner

@umputun umputun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@paskal paskal merged commit 243c835 into master Jul 21, 2022
@paskal paskal deleted the paskal/disable_md_sanitize branch July 21, 2022 23:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akellbl4 akellbl4 akellbl4 approved these changes

@umputun umputun umputun approved these changes

Assignees
No one assigned
Labels
backend
Projects
None yet
Milestone
v1.11.0
Development

Successfully merging this pull request may close these issues.

Code between < and > in code blocks disappears when opened for editing
4 participants
@paskal @coveralls @umputun @akellbl4