Skip to content

Do not sanitise the original comment markdown#1426

Merged
paskal merged 1 commit intomasterfrom
paskal/disable_md_sanitize
Jul 21, 2022
Merged

Do not sanitise the original comment markdown#1426
paskal merged 1 commit intomasterfrom
paskal/disable_md_sanitize

Conversation

@paskal
Copy link
Copy Markdown
Collaborator

@paskal paskal commented Jul 21, 2022

Previously it was sanitised using the HTML sanitiser, but it had proven troublesome and unnecessary. Remark42 rendered the markdown into proper HTML, but then some pieces of it (like cited HTML code inside the code block, marked by backticks) were cut out, which then showed the incorrect markdown to a user when they were editing the comment.

For example, the comment "`foo<bar>`" became "foo" after sanitising, and despite the proper render user saw only "foo" when editing the comment.

After this change, the initial comment markdown is preserved unaltered. It could contain dangerous HTML with JS, which I assume shouldn't be a problem as it's never rendered as HTML but instead supposed to be converted to HTML by the interpreter. In Remark42, it's stored in a comment.Text field and sanitised and thus safe.

I've left information about the potential danger of rendering the original markdown as-is without an interpreter in all relevant places I could find.

Resolves #1292.

@paskal
do not sanitise the original comment markdown
2449537 
Previously it was sanitised using the HTML sanitiser,
but it had proven troublesome and unnecessary.
Remark42 rendered the markdown into proper HTML, but then some pieces
of it (like cited HTML code inside the code block, marked by backticks)
were cut out, which then showed the incorrect markdown to a user when
they were editing the comment.

For example, the comment "`foo<bar>`" became "foo" after sanitising,
and despite the proper render user saw only "foo" when editing
the comment.

After this change, the initial comment markdown is preserved unaltered.
It could contain dangerous HTML with JS, which I assume shouldn't
be a problem as it's never rendered as HTML but instead supposed
to be converted to HTML by the interpreter. In Remark42, it's stored
in a comment.Text field and sanitised and thus safe.

I've left information about the potential danger of rendering
the original markdown as-is without an interpreter in
all relevant places I could find.
@paskal paskal added the backend label Jul 21, 2022
@paskal paskal added this to the v1.10.2 milestone Jul 21, 2022
@paskal paskal requested a review from umputun as a code owner July 21, 2022 21:07
@coveralls
Copy link
Copy Markdown

coveralls commented Jul 21, 2022

Pull Request Test Coverage Report for Build 2714707481

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.03%) to 84.083%
Totals Coverage Status
Change from base Build 2701444789: 0.03%
Covered Lines: 5742
Relevant Lines: 6829
💛 - Coveralls

umputun
umputun approved these changes Jul 21, 2022
View reviewed changes
Copy link
Copy Markdown
Owner

@umputun umputun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@paskal paskal merged commit 243c835 into master Jul 21, 2022
@paskal paskal deleted the paskal/disable_md_sanitize branch July 21, 2022 23:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@umputun umputun umputun approved these changes

@akellbl4 akellbl4 akellbl4 approved these changes

Assignees

No one assigned

Labels

backend

Projects

None yet

Milestone

v1.11.0

Development

Successfully merging this pull request may close these issues.

Code between < and > in code blocks disappears when opened for editing

4 participants

@paskal @coveralls @umputun @akellbl4