From 2a4fb40a6e92b5ff024a3b32ba91d3ced2677a34 Mon Sep 17 00:00:00 2001 From: Matt Bierner Date: Thu, 22 Sep 2022 18:25:48 -0700 Subject: [PATCH] Align list of supported tags in rendered markdown (#161544) This expands the list of html tags we allow in markdown. To get this list, I've copied the list of tags from `markdownDocumentRenderer` into `dom` after reviewing them For #134514, I've also added `video` to the list of allowed tags --- .../notebook/index.ts | 31 +++++--- src/vs/base/browser/dom.ts | 71 +++++++++++++++++++ src/vs/base/browser/markdownRenderer.ts | 2 +- .../browser/markdownDocumentRenderer.ts | 9 ++- 4 files changed, 99 insertions(+), 14 deletions(-) diff --git a/extensions/markdown-language-features/notebook/index.ts b/extensions/markdown-language-features/notebook/index.ts index 06fc8a5f9e2..5728903e212 100644 --- a/extensions/markdown-language-features/notebook/index.ts +++ b/extensions/markdown-language-features/notebook/index.ts @@ -8,21 +8,27 @@ import MarkdownIt from 'markdown-it'; import type * as MarkdownItToken from 'markdown-it/lib/token'; import type { ActivationFunction } from 'vscode-notebook-renderer'; -const allowedHtmlTags = Object.freeze([ - 'a', +const allowedHtmlTags = Object.freeze(['a', + 'abbr', 'b', + 'bdo', 'blockquote', 'br', - 'button', 'caption', - 'center', + 'cite', 'code', 'col', 'colgroup', + 'dd', + 'del', 'details', + 'dfn', 'div', + 'dl', + 'dt', 'em', - 'font', + 'figcaption', + 'figure', 'h1', 'h2', 'h3', @@ -32,16 +38,23 @@ const allowedHtmlTags = Object.freeze([ 'hr', 'i', 'img', - 'input', + 'ins', 'kbd', 'label', 'li', + 'mark', 'ol', 'p', 'pre', - 'select', + 'q', + 'rp', + 'rt', + 'ruby', + 'samp', + 'small', 'small', 'span', + 'strike', 'strong', 'sub', 'summary', @@ -49,15 +62,17 @@ const allowedHtmlTags = Object.freeze([ 'table', 'tbody', 'td', - 'textarea', 'tfoot', 'th', 'thead', + 'time', 'tr', 'tt', 'u', 'ul', + 'var', 'video', + 'wbr', ]); const allowedSvgTags = Object.freeze([ diff --git a/src/vs/base/browser/dom.ts b/src/vs/base/browser/dom.ts index 51566489870..beb9436ac70 100644 --- a/src/vs/base/browser/dom.ts +++ b/src/vs/base/browser/dom.ts @@ -1363,6 +1363,77 @@ const defaultSafeProtocols = [ Schemas.command, ]; +/** + * List of safe, non-input html tags. + */ +export const basicMarkupHtmlTags = Object.freeze([ + 'a', + 'abbr', + 'b', + 'bdo', + 'blockquote', + 'br', + 'caption', + 'cite', + 'code', + 'col', + 'colgroup', + 'dd', + 'del', + 'details', + 'dfn', + 'div', + 'dl', + 'dt', + 'em', + 'figcaption', + 'figure', + 'h1', + 'h2', + 'h3', + 'h4', + 'h5', + 'h6', + 'hr', + 'i', + 'img', + 'ins', + 'kbd', + 'label', + 'li', + 'mark', + 'ol', + 'p', + 'pre', + 'q', + 'rp', + 'rt', + 'ruby', + 'samp', + 'small', + 'small', + 'span', + 'strike', + 'strong', + 'sub', + 'summary', + 'sup', + 'table', + 'tbody', + 'td', + 'tfoot', + 'th', + 'thead', + 'time', + 'tr', + 'tt', + 'u', + 'ul', + 'var', + 'video', + 'wbr', +]); + /** * Sanitizes the given `value` and reset the given `node` with it. */ diff --git a/src/vs/base/browser/markdownRenderer.ts b/src/vs/base/browser/markdownRenderer.ts index 063d60b9792..5106241e2f2 100644 --- a/src/vs/base/browser/markdownRenderer.ts +++ b/src/vs/base/browser/markdownRenderer.ts @@ -380,7 +380,7 @@ function getSanitizerOptions(options: { readonly isTrusted?: boolean }): { confi // Since we have our own sanitize function for marked, it's possible we missed some tag so let dompurify make sure. // HTML tags that can result from markdown are from reading https://spec.commonmark.org/0.29/ // HTML table tags that can result from markdown are from https://github.github.com/gfm/#tables-extension- - ALLOWED_TAGS: ['ul', 'li', 'p', 'b', 'i', 'code', 'blockquote', 'ol', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'em', 'pre', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'div', 'del', 'a', 'strong', 'br', 'img', 'span'], + ALLOWED_TAGS: [...DOM.basicMarkupHtmlTags], ALLOWED_ATTR: ['href', 'data-href', 'target', 'title', 'src', 'alt', 'class', 'style', 'data-code', 'width', 'height', 'align'], ALLOW_UNKNOWN_PROTOCOLS: true, }, diff --git a/src/vs/workbench/contrib/markdown/browser/markdownDocumentRenderer.ts b/src/vs/workbench/contrib/markdown/browser/markdownDocumentRenderer.ts index 68185694831..6e253997d08 100644 --- a/src/vs/workbench/contrib/markdown/browser/markdownDocumentRenderer.ts +++ b/src/vs/workbench/contrib/markdown/browser/markdownDocumentRenderer.ts @@ -3,7 +3,7 @@ * Licensed under the MIT License. See License.txt in the project root for license information. *--------------------------------------------------------------------------------------------*/ -import { hookDomPurifyHrefAndSrcSanitizer } from 'vs/base/browser/dom'; +import { hookDomPurifyHrefAndSrcSanitizer, basicMarkupHtmlTags } from 'vs/base/browser/dom'; import * as dompurify from 'vs/base/browser/dompurify/dompurify'; import { marked } from 'vs/base/common/marked/marked'; import { Schemas } from 'vs/base/common/network'; @@ -159,10 +159,9 @@ function sanitize(documentContent: string, allowUnknownProtocols: boolean): stri return dompurify.sanitize(documentContent, { ...{ ALLOWED_TAGS: [ - 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'h7', 'h8', 'br', 'b', 'i', 'strong', 'em', 'a', 'pre', 'code', 'img', 'tt', - 'div', 'ins', 'del', 'sup', 'sub', 'p', 'ol', 'ul', 'table', 'thead', 'tbody', 'tfoot', 'blockquote', 'dl', 'dt', - 'dd', 'kbd', 'q', 'samp', 'var', 'hr', 'ruby', 'rt', 'rp', 'li', 'tr', 'td', 'th', 's', 'strike', 'summary', 'details', - 'caption', 'figure', 'figcaption', 'abbr', 'bdo', 'cite', 'dfn', 'mark', 'small', 'span', 'time', 'wbr', 'checkbox', 'checklist', 'vertically-centered' + ...basicMarkupHtmlTags, + 'checkbox', + 'checklist', ], ALLOWED_ATTR: [ 'href', 'data-href', 'data-command', 'target', 'title', 'name', 'src', 'alt', 'class', 'id', 'role', 'tabindex', 'style', 'data-code',