Motivate extensions to upgrade to MarkdownString

[jrieken]

We will disable command-links in the (deprecated) MarkedString and extension should use the new MarkdownString for command-links.

Background

When using markdown-formatted content, VS Code supports "links" that invoke a command, like so: [Hello](command:myExt.myCommand). This is a powerful feature but has a security concern: With a carefully crafted document and an extension that creates a markdown-string from that content users can be tricked into clicking on what appears to be a link but actually executed a command. Consider the following sample:

• I happen to know that you use an extension that includes potential dangers commands, e.g. running arbitrary commands in a shell
• I make you use my library file that contains a jsdoc-comment invoking such a command via a command-link
• While coding you get a hover saying "click here for more info" which in reality runs a command

To tackle this, we ask extensions to identify their markdown contents as trusted or not. E.g. TypeScript will say it don't trust markdown contents because it doesn't generate it, it just forwards. Other extensions, esp. those that generate command-links on purpose will mark their contents as trusted. To support that we have introduced a new type, MarkdownString. The MarkdownString can be used wherever the MarkedString can be used and when constructing it, you can say if you trust the contents, e.g.

// trusted
const md = new MarkdownString('[My Cool Feature](command:myTrustedContents)')
md.isTrusted = true;

// not trusted
new MarkdownString(forgeinContentsLikeJsDoc)

[jrieken]

Extensions that are known to use command-links and that need updating during the September timeframe:

• solargraph - Deprecation - use MarkdownString for command-links castwide/vscode-solargraph#11
• vscode-translate-hover - not found?
• quokka-vscode - Deprecation - use MarkdownString for command-links wallabyjs/quokka#90
• kite - not found?
• elastic - not found?
• godot-tools - Deprecation - use MarkdownString for command-links godotengine/godot-vscode-plugin#40

[ArtemGovorov]

// trusted
new MarkdownString('[My Cool Feature](command:myTrustedContents)', true)

The MarkdownString constructor only has one parameter. Should it be:

// trusted
const md = new MarkdownString('[My Cool Feature](command:myTrustedContents)');
md.isTrusted = true;

?

[castwide]

TypeScript does not recognize MarkdownString, either as a stand-alone constant or inside the vscode namespace.

import * as vscode from 'vscode';
new MarkdownString // <- unrecognized
new vscode.MarkdownString // <- unrecognized

I'm using vscode module 1.1.5 and engine 1.5.0. I fetched vscode.d.ts from https://raw.githubusercontent.com/Microsoft/vscode/4fc690be310dd02e0ab6529c0b9bf348a8b26a19/src/vs/vscode.d.ts. Is there something I'm missing?

[jrieken]

Good catch @ArtemGovorov - me thinking about new ideas that aren't implemented yet... Yeah, today we only have the property. I'll update the samples...

[jrieken]

@castwide We will ship the 1.16 release today, then you can get the latest API by setting the engine-field in package.json to 1.16. Run npm i after that and our scripts will download the latest version of vscode.d.ts

[metaleap]

MarkedString had a property language that was actually supremely handy and that I used quite a bit. MarkdownString no longer has that. Is that coming back by any chance? It wasn't harmful and it actually proved useful. Kinda 'tabula rasa' to just throw it out and have everyone code-bloat / wheel-reinvent their own workaround via markdown's triple-backtick syntax, when vscode used to readily handle it so smoothly before.