Align list of supported tags in rendered markdown (#161544)

This expands the list of html tags we allow in markdown. To get this list, I've copied the list of tags from `markdownDocumentRenderer` into `dom` after reviewing them For #134514, I've also added `video` to the list of allowed tags
2024-07-17 02:57:19 +00:00 · 2022-09-22 18:25:48 -07:00 · 2022-09-22 18:25:48 -07:00 · 2a4fb40a6e
parent 93836c720c
commit 2a4fb40a6e
4 changed files with 99 additions and 14 deletions
--- a/extensions/markdown-language-features/notebook/index.ts
+++ b/extensions/markdown-language-features/notebook/index.ts
@ -8,21 +8,27 @@ import MarkdownIt from 'markdown-it';
 import type * as MarkdownItToken from 'markdown-it/lib/token';
 import type { ActivationFunction } from 'vscode-notebook-renderer';

-const allowedHtmlTags = Object.freeze([
-	'a',
+const allowedHtmlTags = Object.freeze(['a',
+	'abbr',
 	'b',
+	'bdo',
 	'blockquote',
 	'br',
-	'button',
 	'caption',
-	'center',
+	'cite',
 	'code',
 	'col',
 	'colgroup',
+	'dd',
+	'del',
 	'details',
+	'dfn',
 	'div',
+	'dl',
+	'dt',
 	'em',
-	'font',
+	'figcaption',
+	'figure',
 	'h1',
 	'h2',
 	'h3',
@ -32,16 +38,23 @@ const allowedHtmlTags = Object.freeze([
 	'hr',
 	'i',
 	'img',
-	'input',
+	'ins',
 	'kbd',
 	'label',
 	'li',
+	'mark',
 	'ol',
 	'p',
 	'pre',
-	'select',
+	'q',
+	'rp',
+	'rt',
+	'ruby',
+	'samp',
+	'small',
 	'small',
 	'span',
+	'strike',
 	'strong',
 	'sub',
 	'summary',
@ -49,15 +62,17 @@ const allowedHtmlTags = Object.freeze([
 	'table',
 	'tbody',
 	'td',
-	'textarea',
 	'tfoot',
 	'th',
 	'thead',
+	'time',
 	'tr',
 	'tt',
 	'u',
 	'ul',
+	'var',
 	'video',
+	'wbr',
 ]);

 const allowedSvgTags = Object.freeze([
--- a/src/vs/base/browser/dom.ts
+++ b/src/vs/base/browser/dom.ts
@ -1363,6 +1363,77 @@ const defaultSafeProtocols = [
 	Schemas.command,
 ];

+/**
+ * List of safe, non-input html tags.
+ */
+export const basicMarkupHtmlTags = Object.freeze([
+	'a',
+	'abbr',
+	'b',
+	'bdo',
+	'blockquote',
+	'br',
+	'caption',
+	'cite',
+	'code',
+	'col',
+	'colgroup',
+	'dd',
+	'del',
+	'details',
+	'dfn',
+	'div',
+	'dl',
+	'dt',
+	'em',
+	'figcaption',
+	'figure',
+	'h1',
+	'h2',
+	'h3',
+	'h4',
+	'h5',
+	'h6',
+	'hr',
+	'i',
+	'img',
+	'ins',
+	'kbd',
+	'label',
+	'li',
+	'mark',
+	'ol',
+	'p',
+	'pre',
+	'q',
+	'rp',
+	'rt',
+	'ruby',
+	'samp',
+	'small',
+	'small',
+	'span',
+	'strike',
+	'strong',
+	'sub',
+	'summary',
+	'sup',
+	'table',
+	'tbody',
+	'td',
+	'tfoot',
+	'th',
+	'thead',
+	'time',
+	'tr',
+	'tt',
+	'u',
+	'ul',
+	'var',
+	'video',
+	'wbr',
+]);
+
 /**
 * Sanitizes the given `value` and reset the given `node` with it.
 */
--- a/src/vs/base/browser/markdownRenderer.ts
+++ b/src/vs/base/browser/markdownRenderer.ts
@ -380,7 +380,7 @@ function getSanitizerOptions(options: { readonly isTrusted?: boolean }): { confi
 			// Since we have our own sanitize function for marked, it's possible we missed some tag so let dompurify make sure.
 			// HTML tags that can result from markdown are from reading https://spec.commonmark.org/0.29/
 			// HTML table tags that can result from markdown are from https://github.github.com/gfm/#tables-extension-
-			ALLOWED_TAGS: ['ul', 'li', 'p', 'b', 'i', 'code', 'blockquote', 'ol', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'em', 'pre', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'div', 'del', 'a', 'strong', 'br', 'img', 'span'],
+			ALLOWED_TAGS: [...DOM.basicMarkupHtmlTags],
 			ALLOWED_ATTR: ['href', 'data-href', 'target', 'title', 'src', 'alt', 'class', 'style', 'data-code', 'width', 'height', 'align'],
 			ALLOW_UNKNOWN_PROTOCOLS: true,
 		},
--- a/src/vs/workbench/contrib/markdown/browser/markdownDocumentRenderer.ts
+++ b/src/vs/workbench/contrib/markdown/browser/markdownDocumentRenderer.ts
@ -3,7 +3,7 @@
 *  Licensed under the MIT License. See License.txt in the project root for license information.
 *--------------------------------------------------------------------------------------------*/

-import { hookDomPurifyHrefAndSrcSanitizer } from 'vs/base/browser/dom';
+import { hookDomPurifyHrefAndSrcSanitizer, basicMarkupHtmlTags } from 'vs/base/browser/dom';
 import * as dompurify from 'vs/base/browser/dompurify/dompurify';
 import { marked } from 'vs/base/common/marked/marked';
 import { Schemas } from 'vs/base/common/network';
@ -159,10 +159,9 @@ function sanitize(documentContent: string, allowUnknownProtocols: boolean): stri
 		return dompurify.sanitize(documentContent, {
 			...{
 				ALLOWED_TAGS: [
-					'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'h7', 'h8', 'br', 'b', 'i', 'strong', 'em', 'a', 'pre', 'code', 'img', 'tt',
-					'div', 'ins', 'del', 'sup', 'sub', 'p', 'ol', 'ul', 'table', 'thead', 'tbody', 'tfoot', 'blockquote', 'dl', 'dt',
-					'dd', 'kbd', 'q', 'samp', 'var', 'hr', 'ruby', 'rt', 'rp', 'li', 'tr', 'td', 'th', 's', 'strike', 'summary', 'details',
-					'caption', 'figure', 'figcaption', 'abbr', 'bdo', 'cite', 'dfn', 'mark', 'small', 'span', 'time', 'wbr', 'checkbox', 'checklist', 'vertically-centered'
+					...basicMarkupHtmlTags,
+					'checkbox',
+					'checklist',
 				],
 				ALLOWED_ATTR: [
 					'href', 'data-href', 'data-command', 'target', 'title', 'name', 'src', 'alt', 'class', 'id', 'role', 'tabindex', 'style', 'data-code',