New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML renderer should distinguish between block and inline HTML #1745
Comments
It looks like it is the sanitization that is closing the open tag before the text then removing the close tag after the text. Opening and closing inline html tags are tokenized separately so sanitize html is seeing You can see the difference in tokenization in the v0.8.0 demo and the v1.1.1 demo |
Appreciate the look... I'll retest it again... however... Re:
But my test in dev is this from right above that code a few lines: function sanitize(aHtml) {
//return sanitizeHtml(aHtml, htmlWhitelistPost);
return aHtml; // Test disabling sanitizer
} ... and it still comes back with: <kbd></kbd>Ctrl + <kbd></kbd>Shift + <kbd></kbd>i Here's the retest with no sanitization in dev. Same issue which seems to be highly pointing to marked: If I do this here: exports.renderMd = function (aText) {
//return marked(aText);
return aText;
}; ... then all is well with the native html (md isn't processed so it's mostly md but the Ctrl + Shift + i is not having issues with sanitizing): |
it looks like the line |
That's just the final sanitized String results (which are bypassed in dev atm from item 2 above and retested/reshown in the first screen cap above) i.e. no change for this equivalent of documentFragment implementation in node. I'm thinking more along the lines of the When I get a few extra cycles I'll try it in latest node@14.x and see if it's a latest node@12.x issue specific to something this package utilizes. EDIT: Same issue in node@14.x. As I mentioned above this is one weird issue. :\ Misc references for myself here:
|
yes but it does change the string. JSDom must be doing some sort of sanitization when setting
|
Interesting guess and still appreciate the thoughts but... It's just a filter for It is highly improbable that two extensions/packages would cause this issue not to mention the fact that marked@0.8.0 works perfectly. It's more probable that there is something broken in marked. If given a choice between insecure HTML, losing Those renderer changes are quite notable between 0.8.0 an 0.8.1 and perhaps it can't be utilized the way we are doing it with overriding the rendering or it's broken for extending the I'll try backing out the relevant changes in marked manually in dev to see if that helps (or breaks which is always possible). NOTE: This will change a bit during debugging.
@@ -1,6 +1,6 @@
"version": "7.1.0",
"resolved": "https://registry.npmjs.org/acorn/-/acorn-7.1.0.tgz",
"integrity": "sha512-kL5CuoXA/dgxlBbVrflsflzQ3PAas7RYZB52NOm/6839iVYJgKMJ3cQJD+t2i5+qFa8h3MDpEOJiS64E8JLnSQ==",
"version": "7.1.1",
"resolved": "https://registry.npmjs.org/acorn/-/acorn-7.1.1.tgz",
"integrity": "sha512-add7dgA5ppRPxCFJoAGfMDi7PIBXq1RtGo7BhbLaxwrXPOmw8gq48Y9ozT01hUKy9byMjlR20EJhu5zlkErEkg==", ... acorn changed.
Now I get to go see what changed there. --- ./InlineLexer.js 1985-10-26 02:15:00.000000000 -0600
+++ ~/tmp/marked.0.8.0/src/InlineLexer.js 1985-10-26 02:15:00.000000000 -0600
@@ -82,11 +82,11 @@
}
src = src.substring(cap[0].length);
- out += this.renderer.html(this.options.sanitize
- ? (this.options.sanitizer
+ out += this.options.sanitize
+ ? this.options.sanitizer
? this.options.sanitizer(cap[0])
- : escape(cap[0]))
- : cap[0]);
+ : escape(cap[0])
+ : cap[0];
continue;
}
|
It was actually the fix in #1602 that you pointed out that makes this happen. Here is what is happening:
The issue is that your renderer is treating inline html tags as a block of html. Maybe we could tell the html renderer whether it is inline or not and your render function can ignore inline html tokens? |
Understand what you mean now. The granularity of the A couple of things that need clarification before I attempt to answer your question.
So basically we've tried just about everything that we know of in positioning the sanitizer and the mentioner in various places. So to attempt to have an answer for your question of:
Some sort of Another note loosely related to this: When using HTML |
Maybe but that would be a breaking change and we would like to reduce the number of breaking changes due to the number of dependents. If there is a non-breaking way it would be better to do that now and implement the breaking change later.
It does when I try it. It calls the |
Hmmm... dev which is node@14.x atm isn't sanitizing it. On production it's sanitizing it (temporarily put it up something similar at the same section of "Debugging" under Falkon) which is node@12.x. Will look into this later. Could be another weird artifact of the breaking change from 0.8.0 to 0.8.1. Thanks for the newer feature recommendations and clarifications on which ones are dual. Will look into tokenizer as soon as I can.
Understood. That's why I asked if there were any other renderers that have the same possibilities as html... you said yes so your idea is probably the best esp. if they grow. :) |
kbd
tag
Describe the bug
<kbd>key</kbd>
doesn't seem to be generating correctly for us. See final rendered output at https://openuserjs.org/about/Falkon#debugging and source for this file here.See also:
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
With anything after 0.8.0 the output gets rendered to html roughly as
... and more specifically at our document page source with html raw copy of inspection i.e. no line break for clarity:
I realize the demo page doesn't appear to be doing this over there however this is one weird issue.
Should be (and used to be with 0.8.0 of marked):
See also:
Any help on understanding this change from 0.8.0 would be greatly appreciated. :) I also hope this issue is not replicated but I did do a brief search on this repo including code for
kbd
and only found thesmartypants
option which we've never used.Tested in:
The text was updated successfully, but these errors were encountered: