Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whitelist anchor HTML tags? #99

Closed
hrydgard opened this issue Jan 1, 2024 · 8 comments
Closed

Whitelist anchor HTML tags? #99

hrydgard opened this issue Jan 1, 2024 · 8 comments

Comments

@hrydgard
Copy link

hrydgard commented Jan 1, 2024
edited
Loading

In order to allow anchors in markdown, such as <a name="my_anchor"></a>, I have to turn on allow_dangerous_html.

Unfortunately markdown still lacks a syntax for this, although you can link to them: [jump to my_anchor](#my_anchor)

I'd like to disallow all HTML except this very particular usage, since this is still a hole in the markdown language, AFAIK. Is that possible?
@ChristianMurphy
Copy link
Collaborator

Welcome @hrydgard! 👋

It is not currently a feature.
It sounds more broadly like you are looking for a configurable sanitizer.
This should be handled through #32

So this project can have a plugin roughly equivalent to https://github.com/rehypejs/rehype-sanitize on the JavaScript side.

@hrydgard
Copy link
Author

hrydgard commented Jan 2, 2024

Hi, yeah, I think something like that would help. I have a related issue though that even if I allow dangerous html, the following tag is not passed through:

<iframe src="https://discordapp.com/widget?id=293316141479362560&theme=dark" width="350" height="500" allowtransparency="true" frameborder="0"></iframe>

That seems unexpected?

@wooorm
Copy link
Owner

wooorm commented Jan 2, 2024

Please post the code you use. I’m pretty sure that doesn’t happen normally. It happens when you turn gfm features on, including the stripping of iframes which gfm does

@hrydgard
Copy link
Author

hrydgard commented Jan 2, 2024
edited
Loading 

    let mut markdown_options = markdown::Options::gfm();
    markdown_options.compile.allow_dangerous_html = true;

yes, gfm, but forcing allow_dangerous_html to true. I guess that's not enough, though it sounds like it should be :)

@wooorm
Copy link
Owner

wooorm commented Jan 5, 2024

Right, allow_dangerous_html doesn’t turn off the GFM tag filter turned on with gfm().
See gfm_tagfilter in CompileOptions: https://docs.rs/markdown/1.0.0-alpha.16/markdown/struct.CompileOptions.html.

I understand that you were not expecting that but I don’t see a better way. Other than adding docs to allow_dangerous_html on this? https://docs.rs/markdown/1.0.0-alpha.16/markdown/struct.CompileOptions.html#structfield.allow_dangerous_html

@hrydgard
Copy link
Author

hrydgard commented Jan 5, 2024
edited
Loading

Oh, didn't realize gfm_tagfilter was even a thing. Yes, I think a comment in the docs of allow_dangerous_html is a good way to go.

The name allow_dangerous_html really feels like it should automatically allow all html tags since it doesn't make much sense to allow some dangerous but not some more benign ones! So documenting that it doesn't do that makes sense.

@wooorm wooorm closed this as completed in 60db8e5 Jan 10, 2024
@wooorm
Copy link
Owner

wooorm commented Jan 10, 2024

Added a note! But: “I didn’t realize gfm_tagfilter was a thing” sounds like you should also read what things happen when you gfm()!

@hrydgard
Copy link
Author

Yeah, you're absolutely right about that :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hrydgard @wooorm @ChristianMurphy