utils/html: Provide full control of allowed HTML elements via the configuration file #1007
Conversation
pkvach
changed the title
pkvach
force-pushed
the
fix/remove-hardcoded-allowed-elements-attributes
branch
from
b2136e1
to
fd92ccb
Compare
pkvach
changed the title
pkvach
force-pushed
the
fix/remove-hardcoded-allowed-elements-attributes
branch
from
fd92ccb
to
5cd17a7
Compare
There was a problem hiding this comment.
Thank you for tackling this. I will write my more detailed thoughts on this down later.
For now:
- Keep in mind that this is a massive footgun for people who used this feature as intended and now all their styling is gone.
- The whole markdown rendering configuration is extremely un-intuitive and error prone. We essentially only pass through tunables to
misakaandbleachinstead of providing the admin with sane options. - People expecting GitHub-flavored Markdown (GHFM) to just work are massively let down.
pkvach
force-pushed
the
fix/remove-hardcoded-allowed-elements-attributes
branch
from
5cd17a7
to
1cd4a0c
Compare
Thanks for the thoughtful feedback! I appreciate you taking the time to consider the impact on existing users. Backwards compatibility is a valid concern. If you have any ideas on how we might mitigate disruption or implement the changes more seamlessly, I'd be happy to hear them. |
My biggest concern with this particular PR would be users who have copied a sample config file a few years ago that contained I have a few ideas, none of them perfect:
The config parser silently merging the default config with a user-supplied one also doesn't make things easier here. As for general thoughts on our markdown rendering: Do we really want to make incremental improvements to this pile of hacks or would energy better be spent overhauling the thing and making it radically more user-friendly? I'm happy to review and merge PRs for incremental fixes, but it feels more like treading water than tackling the real issue. Note also that both |
|
Thank you for your thoughts on this.
I've been thinking about that option as well, and I'm leaning more towards it. I will try to move in that direction. |
pkvach
changed the title
|
Made changes to PR with alternative option: added new configuration option |
|
Hey @pkvach, your solution is well-written code-wise, but I still would like to receive some (more) input from actual users regarding their experiences and expectations with markdown/HTML allowlist handling. How do other commenting systems (Commento, Remark42, ...) handle element/attribute whitelisting, if at all? |
|
Thanks for the feedback, @ix5 . |
- Added new configuration option "strictly-allowed-html-elements" to specify only allowed HTML tags in the generated output. - Allowed "mark" and "u" elements for "highlight" and "underline" Markup extensions. - Updated "allowed-elements" in configuration files to include "tr". Fixes isso-comments#751
pkvach
force-pushed
the
fix/remove-hardcoded-allowed-elements-attributes
branch
from
3cab0c4
to
863c4b7
Compare
|
It seems that both "Remark42" and "Commento" systems do not provide the ability to specify a list of allowed elements in the configuration. Same for "Disqus". Both use a processor for Markdown: Remark42 also uses a sanitizer: |
|
Thank you for your extensive research! At the moment, I'm too much occupied with IRL things to delve deeper into this and make a decision. Maybe one of @jelmer, @BBaoVanC, @stefangehn @fluffy-critter would care to comment and try to form some kind of consensus. |
There was a problem hiding this comment.
I like the change in general but keeping both configuration variants around looks confusing to me. I would rather suggest to deprecate the old setting and replace it with the new one.
what about this logic:
- introduce
allowed-html-elementskey and have a default value for it based on the hardcoded list in the middle of the code - add the list of
allowed-elementson top of what the
allowed-html-elementsalready provided - warn when any items from
allowed-elementswere added, pointing users to migrate their config toallowed-html-elementsin the future - drop the
allowed-elementskey from the default/example configuration file so no new users start using it
Checklist
CHANGES.rstbecause this is a user-facing change or an important bugfixWhat changes does this Pull Request introduce?
These changes provide full control over the management of
allowed-elementsandallowed-attributesthrough the configuration file.isso-dev.cfg,server-config.rst, andisso.cfg.test_html.pyto reflect the new configurable approach for allowed elements and attributes.Why is this necessary?
Fixes #751