mirror of
https://github.com/Microsoft/vscode
synced 2024-08-27 13:00:58 +00:00
Align list of supported tags in rendered markdown (#161544)
This expands the list of html tags we allow in markdown. To get this list, I've copied the list of tags from `markdownDocumentRenderer` into `dom` after reviewing them For #134514, I've also added `video` to the list of allowed tags
This commit is contained in:
Matt Bierner
GitHub
parent
93836c720c
commit
2a4fb40a6e
|
|
@ -8,21 +8,27 @@ import MarkdownIt from 'markdown-it';
|
||||||
import type * as MarkdownItToken from 'markdown-it/lib/token';
|
import type * as MarkdownItToken from 'markdown-it/lib/token';
|
||||||
import type { ActivationFunction } from 'vscode-notebook-renderer';
|
import type { ActivationFunction } from 'vscode-notebook-renderer';
|
||||||
|
|
||||||
const allowedHtmlTags = Object.freeze([
|
const allowedHtmlTags = Object.freeze(['a',
|
||||||
'a',
|
'abbr',
|
||||||
'b',
|
'b',
|
||||||
|
'bdo',
|
||||||
'blockquote',
|
'blockquote',
|
||||||
'br',
|
'br',
|
||||||
'button',
|
|
||||||
'caption',
|
'caption',
|
||||||
'center',
|
'cite',
|
||||||
'code',
|
'code',
|
||||||
'col',
|
'col',
|
||||||
'colgroup',
|
'colgroup',
|
||||||
|
'dd',
|
||||||
|
'del',
|
||||||
'details',
|
'details',
|
||||||
|
'dfn',
|
||||||
'div',
|
'div',
|
||||||
|
'dl',
|
||||||
|
'dt',
|
||||||
'em',
|
'em',
|
||||||
'font',
|
'figcaption',
|
||||||
|
'figure',
|
||||||
'h1',
|
'h1',
|
||||||
'h2',
|
'h2',
|
||||||
'h3',
|
'h3',
|
||||||
|
|
@ -32,16 +38,23 @@ const allowedHtmlTags = Object.freeze([
|
||||||
'hr',
|
'hr',
|
||||||
'i',
|
'i',
|
||||||
'img',
|
'img',
|
||||||
'input',
|
'ins',
|
||||||
'kbd',
|
'kbd',
|
||||||
'label',
|
'label',
|
||||||
'li',
|
'li',
|
||||||
|
'mark',
|
||||||
'ol',
|
'ol',
|
||||||
'p',
|
'p',
|
||||||
'pre',
|
'pre',
|
||||||
'select',
|
'q',
|
||||||
|
'rp',
|
||||||
|
'rt',
|
||||||
|
'ruby',
|
||||||
|
'samp',
|
||||||
|
'small',
|
||||||
'small',
|
'small',
|
||||||
'span',
|
'span',
|
||||||
|
'strike',
|
||||||
'strong',
|
'strong',
|
||||||
'sub',
|
'sub',
|
||||||
'summary',
|
'summary',
|
||||||
|
|
@ -49,15 +62,17 @@ const allowedHtmlTags = Object.freeze([
|
||||||
'table',
|
'table',
|
||||||
'tbody',
|
'tbody',
|
||||||
'td',
|
'td',
|
||||||
'textarea',
|
|
||||||
'tfoot',
|
'tfoot',
|
||||||
'th',
|
'th',
|
||||||
'thead',
|
'thead',
|
||||||
|
'time',
|
||||||
'tr',
|
'tr',
|
||||||
'tt',
|
'tt',
|
||||||
'u',
|
'u',
|
||||||
'ul',
|
'ul',
|
||||||
|
'var',
|
||||||
'video',
|
'video',
|
||||||
|
'wbr',
|
||||||
]);
|
]);
|
||||||
|
|
||||||
const allowedSvgTags = Object.freeze([
|
const allowedSvgTags = Object.freeze([
|
||||||
|
|
|
||||||
|
|
@ -1363,6 +1363,77 @@ const defaultSafeProtocols = [
|
||||||
Schemas.command,
|
Schemas.command,
|
||||||
];
|
];
|
||||||
|
|
||||||
|
/**
|
||||||
|
* List of safe, non-input html tags.
|
||||||
|
*/
|
||||||
|
export const basicMarkupHtmlTags = Object.freeze([
|
||||||
|
'a',
|
||||||
|
'abbr',
|
||||||
|
'b',
|
||||||
|
'bdo',
|
||||||
|
'blockquote',
|
||||||
|
'br',
|
||||||
|
'caption',
|
||||||
|
'cite',
|
||||||
|
'code',
|
||||||
|
'col',
|
||||||
|
'colgroup',
|
||||||
|
'dd',
|
||||||
|
'del',
|
||||||
|
'details',
|
||||||
|
'dfn',
|
||||||
|
'div',
|
||||||
|
'dl',
|
||||||
|
'dt',
|
||||||
|
'em',
|
||||||
|
'figcaption',
|
||||||
|
'figure',
|
||||||
|
'h1',
|
||||||
|
'h2',
|
||||||
|
'h3',
|
||||||
|
'h4',
|
||||||
|
'h5',
|
||||||
|
'h6',
|
||||||
|
'hr',
|
||||||
|
'i',
|
||||||
|
'img',
|
||||||
|
'ins',
|
||||||
|
'kbd',
|
||||||
|
'label',
|
||||||
|
'li',
|
||||||
|
'mark',
|
||||||
|
'ol',
|
||||||
|
'p',
|
||||||
|
'pre',
|
||||||
|
'q',
|
||||||
|
'rp',
|
||||||
|
'rt',
|
||||||
|
'ruby',
|
||||||
|
'samp',
|
||||||
|
'small',
|
||||||
|
'small',
|
||||||
|
'span',
|
||||||
|
'strike',
|
||||||
|
'strong',
|
||||||
|
'sub',
|
||||||
|
'summary',
|
||||||
|
'sup',
|
||||||
|
'table',
|
||||||
|
'tbody',
|
||||||
|
'td',
|
||||||
|
'tfoot',
|
||||||
|
'th',
|
||||||
|
'thead',
|
||||||
|
'time',
|
||||||
|
'tr',
|
||||||
|
'tt',
|
||||||
|
'u',
|
||||||
|
'ul',
|
||||||
|
'var',
|
||||||
|
'video',
|
||||||
|
'wbr',
|
||||||
|
]);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sanitizes the given `value` and reset the given `node` with it.
|
* Sanitizes the given `value` and reset the given `node` with it.
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
|
|
@ -380,7 +380,7 @@ function getSanitizerOptions(options: { readonly isTrusted?: boolean }): { confi
|
||||||
// Since we have our own sanitize function for marked, it's possible we missed some tag so let dompurify make sure.
|
// Since we have our own sanitize function for marked, it's possible we missed some tag so let dompurify make sure.
|
||||||
// HTML tags that can result from markdown are from reading https://spec.commonmark.org/0.29/
|
// HTML tags that can result from markdown are from reading https://spec.commonmark.org/0.29/
|
||||||
// HTML table tags that can result from markdown are from https://github.github.com/gfm/#tables-extension-
|
// HTML table tags that can result from markdown are from https://github.github.com/gfm/#tables-extension-
|
||||||
ALLOWED_TAGS: ['ul', 'li', 'p', 'b', 'i', 'code', 'blockquote', 'ol', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'em', 'pre', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'div', 'del', 'a', 'strong', 'br', 'img', 'span'],
|
ALLOWED_TAGS: [...DOM.basicMarkupHtmlTags],
|
||||||
ALLOWED_ATTR: ['href', 'data-href', 'target', 'title', 'src', 'alt', 'class', 'style', 'data-code', 'width', 'height', 'align'],
|
ALLOWED_ATTR: ['href', 'data-href', 'target', 'title', 'src', 'alt', 'class', 'style', 'data-code', 'width', 'height', 'align'],
|
||||||
ALLOW_UNKNOWN_PROTOCOLS: true,
|
ALLOW_UNKNOWN_PROTOCOLS: true,
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@
|
||||||
* Licensed under the MIT License. See License.txt in the project root for license information.
|
* Licensed under the MIT License. See License.txt in the project root for license information.
|
||||||
*--------------------------------------------------------------------------------------------*/
|
*--------------------------------------------------------------------------------------------*/
|
||||||
|
|
||||||
import { hookDomPurifyHrefAndSrcSanitizer } from 'vs/base/browser/dom';
|
import { hookDomPurifyHrefAndSrcSanitizer, basicMarkupHtmlTags } from 'vs/base/browser/dom';
|
||||||
import * as dompurify from 'vs/base/browser/dompurify/dompurify';
|
import * as dompurify from 'vs/base/browser/dompurify/dompurify';
|
||||||
import { marked } from 'vs/base/common/marked/marked';
|
import { marked } from 'vs/base/common/marked/marked';
|
||||||
import { Schemas } from 'vs/base/common/network';
|
import { Schemas } from 'vs/base/common/network';
|
||||||
|
|
@ -159,10 +159,9 @@ function sanitize(documentContent: string, allowUnknownProtocols: boolean): stri
|
||||||
return dompurify.sanitize(documentContent, {
|
return dompurify.sanitize(documentContent, {
|
||||||
...{
|
...{
|
||||||
ALLOWED_TAGS: [
|
ALLOWED_TAGS: [
|
||||||
'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'h7', 'h8', 'br', 'b', 'i', 'strong', 'em', 'a', 'pre', 'code', 'img', 'tt',
|
...basicMarkupHtmlTags,
|
||||||
'div', 'ins', 'del', 'sup', 'sub', 'p', 'ol', 'ul', 'table', 'thead', 'tbody', 'tfoot', 'blockquote', 'dl', 'dt',
|
'checkbox',
|
||||||
'dd', 'kbd', 'q', 'samp', 'var', 'hr', 'ruby', 'rt', 'rp', 'li', 'tr', 'td', 'th', 's', 'strike', 'summary', 'details',
|
'checklist',
|
||||||
'caption', 'figure', 'figcaption', 'abbr', 'bdo', 'cite', 'dfn', 'mark', 'small', 'span', 'time', 'wbr', 'checkbox', 'checklist', 'vertically-centered'
|
|
||||||
],
|
],
|
||||||
ALLOWED_ATTR: [
|
ALLOWED_ATTR: [
|
||||||
'href', 'data-href', 'data-command', 'target', 'title', 'name', 'src', 'alt', 'class', 'id', 'role', 'tabindex', 'style', 'data-code',
|
'href', 'data-href', 'data-command', 'target', 'title', 'name', 'src', 'alt', 'class', 'id', 'role', 'tabindex', 'style', 'data-code',
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue