mirror of
https://github.com/Microsoft/vscode
synced 2024-07-17 02:57:19 +00:00
Align list of supported tags in rendered markdown (#161544)
This expands the list of html tags we allow in markdown. To get this list, I've copied the list of tags from `markdownDocumentRenderer` into `dom` after reviewing them For #134514, I've also added `video` to the list of allowed tags
This commit is contained in:
parent
93836c720c
commit
2a4fb40a6e
|
@ -8,21 +8,27 @@ import MarkdownIt from 'markdown-it';
|
|||
import type * as MarkdownItToken from 'markdown-it/lib/token';
|
||||
import type { ActivationFunction } from 'vscode-notebook-renderer';
|
||||
|
||||
const allowedHtmlTags = Object.freeze([
|
||||
'a',
|
||||
const allowedHtmlTags = Object.freeze(['a',
|
||||
'abbr',
|
||||
'b',
|
||||
'bdo',
|
||||
'blockquote',
|
||||
'br',
|
||||
'button',
|
||||
'caption',
|
||||
'center',
|
||||
'cite',
|
||||
'code',
|
||||
'col',
|
||||
'colgroup',
|
||||
'dd',
|
||||
'del',
|
||||
'details',
|
||||
'dfn',
|
||||
'div',
|
||||
'dl',
|
||||
'dt',
|
||||
'em',
|
||||
'font',
|
||||
'figcaption',
|
||||
'figure',
|
||||
'h1',
|
||||
'h2',
|
||||
'h3',
|
||||
|
@ -32,16 +38,23 @@ const allowedHtmlTags = Object.freeze([
|
|||
'hr',
|
||||
'i',
|
||||
'img',
|
||||
'input',
|
||||
'ins',
|
||||
'kbd',
|
||||
'label',
|
||||
'li',
|
||||
'mark',
|
||||
'ol',
|
||||
'p',
|
||||
'pre',
|
||||
'select',
|
||||
'q',
|
||||
'rp',
|
||||
'rt',
|
||||
'ruby',
|
||||
'samp',
|
||||
'small',
|
||||
'small',
|
||||
'span',
|
||||
'strike',
|
||||
'strong',
|
||||
'sub',
|
||||
'summary',
|
||||
|
@ -49,15 +62,17 @@ const allowedHtmlTags = Object.freeze([
|
|||
'table',
|
||||
'tbody',
|
||||
'td',
|
||||
'textarea',
|
||||
'tfoot',
|
||||
'th',
|
||||
'thead',
|
||||
'time',
|
||||
'tr',
|
||||
'tt',
|
||||
'u',
|
||||
'ul',
|
||||
'var',
|
||||
'video',
|
||||
'wbr',
|
||||
]);
|
||||
|
||||
const allowedSvgTags = Object.freeze([
|
||||
|
|
|
@ -1363,6 +1363,77 @@ const defaultSafeProtocols = [
|
|||
Schemas.command,
|
||||
];
|
||||
|
||||
/**
|
||||
* List of safe, non-input html tags.
|
||||
*/
|
||||
export const basicMarkupHtmlTags = Object.freeze([
|
||||
'a',
|
||||
'abbr',
|
||||
'b',
|
||||
'bdo',
|
||||
'blockquote',
|
||||
'br',
|
||||
'caption',
|
||||
'cite',
|
||||
'code',
|
||||
'col',
|
||||
'colgroup',
|
||||
'dd',
|
||||
'del',
|
||||
'details',
|
||||
'dfn',
|
||||
'div',
|
||||
'dl',
|
||||
'dt',
|
||||
'em',
|
||||
'figcaption',
|
||||
'figure',
|
||||
'h1',
|
||||
'h2',
|
||||
'h3',
|
||||
'h4',
|
||||
'h5',
|
||||
'h6',
|
||||
'hr',
|
||||
'i',
|
||||
'img',
|
||||
'ins',
|
||||
'kbd',
|
||||
'label',
|
||||
'li',
|
||||
'mark',
|
||||
'ol',
|
||||
'p',
|
||||
'pre',
|
||||
'q',
|
||||
'rp',
|
||||
'rt',
|
||||
'ruby',
|
||||
'samp',
|
||||
'small',
|
||||
'small',
|
||||
'span',
|
||||
'strike',
|
||||
'strong',
|
||||
'sub',
|
||||
'summary',
|
||||
'sup',
|
||||
'table',
|
||||
'tbody',
|
||||
'td',
|
||||
'tfoot',
|
||||
'th',
|
||||
'thead',
|
||||
'time',
|
||||
'tr',
|
||||
'tt',
|
||||
'u',
|
||||
'ul',
|
||||
'var',
|
||||
'video',
|
||||
'wbr',
|
||||
]);
|
||||
|
||||
/**
|
||||
* Sanitizes the given `value` and reset the given `node` with it.
|
||||
*/
|
||||
|
|
|
@ -380,7 +380,7 @@ function getSanitizerOptions(options: { readonly isTrusted?: boolean }): { confi
|
|||
// Since we have our own sanitize function for marked, it's possible we missed some tag so let dompurify make sure.
|
||||
// HTML tags that can result from markdown are from reading https://spec.commonmark.org/0.29/
|
||||
// HTML table tags that can result from markdown are from https://github.github.com/gfm/#tables-extension-
|
||||
ALLOWED_TAGS: ['ul', 'li', 'p', 'b', 'i', 'code', 'blockquote', 'ol', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'em', 'pre', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'div', 'del', 'a', 'strong', 'br', 'img', 'span'],
|
||||
ALLOWED_TAGS: [...DOM.basicMarkupHtmlTags],
|
||||
ALLOWED_ATTR: ['href', 'data-href', 'target', 'title', 'src', 'alt', 'class', 'style', 'data-code', 'width', 'height', 'align'],
|
||||
ALLOW_UNKNOWN_PROTOCOLS: true,
|
||||
},
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
* Licensed under the MIT License. See License.txt in the project root for license information.
|
||||
*--------------------------------------------------------------------------------------------*/
|
||||
|
||||
import { hookDomPurifyHrefAndSrcSanitizer } from 'vs/base/browser/dom';
|
||||
import { hookDomPurifyHrefAndSrcSanitizer, basicMarkupHtmlTags } from 'vs/base/browser/dom';
|
||||
import * as dompurify from 'vs/base/browser/dompurify/dompurify';
|
||||
import { marked } from 'vs/base/common/marked/marked';
|
||||
import { Schemas } from 'vs/base/common/network';
|
||||
|
@ -159,10 +159,9 @@ function sanitize(documentContent: string, allowUnknownProtocols: boolean): stri
|
|||
return dompurify.sanitize(documentContent, {
|
||||
...{
|
||||
ALLOWED_TAGS: [
|
||||
'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'h7', 'h8', 'br', 'b', 'i', 'strong', 'em', 'a', 'pre', 'code', 'img', 'tt',
|
||||
'div', 'ins', 'del', 'sup', 'sub', 'p', 'ol', 'ul', 'table', 'thead', 'tbody', 'tfoot', 'blockquote', 'dl', 'dt',
|
||||
'dd', 'kbd', 'q', 'samp', 'var', 'hr', 'ruby', 'rt', 'rp', 'li', 'tr', 'td', 'th', 's', 'strike', 'summary', 'details',
|
||||
'caption', 'figure', 'figcaption', 'abbr', 'bdo', 'cite', 'dfn', 'mark', 'small', 'span', 'time', 'wbr', 'checkbox', 'checklist', 'vertically-centered'
|
||||
...basicMarkupHtmlTags,
|
||||
'checkbox',
|
||||
'checklist',
|
||||
],
|
||||
ALLOWED_ATTR: [
|
||||
'href', 'data-href', 'data-command', 'target', 'title', 'name', 'src', 'alt', 'class', 'id', 'role', 'tabindex', 'style', 'data-code',
|
||||
|
|
Loading…
Reference in a new issue