To elaborate on the issue, the preview blockquote does not render if there is any HTML element in the source string. This is because in that case, all closing bracket > are changed to >.
To fix this, I remove the sanitation by DOMPurify. As mentioned in #1214, ngx-markdown sanitises content by default, hence there is no need to sanitise again using DOMPurify. Furthermore, DOMPurify does not consider markdown syntaxes in sanitation.
I have checked out the examples given by DOMPurify, malicious content are also removed with the sanitation from ngx-markdown. The following content:
> quote stops working in preview???
> quote with <br/> <br/>
> new quote
> another quote like `this`
<div>For example</div>
<script>console.log("hello")</script>
Hello, test <code>D<sub>SA</sub></code>
<p>abc<iframe src="https://www.youtube.com/embed/sUtJHqzU9dc" allowfullscreen="" title="Youtube intro video"></iframe></p>
<TABLE><tr><td>HELLO</tr></TABL>
<UL><li><A HREF=//google.com>click</UL>
is rendered as
Notice that the script and the iframe tags are removed from the rendered HTML, and the broken tags are properly rendered.
This closely matches the rendering on Github:
The only difference is that the sanitised strings are rendered as literal strings on Github, while removed in CATcher. However, given the purpose of CATcher, I believe there is no need for rendering malicious HTML elements as literal strings.
Proposed Commit Message:
Fix markdown blockquote preview difference
Due to DOMPurify, the content used for preview is different.
However, given that ngx-markdown already has sufficient sanitation
by default, we remove sanitation by DOMPurify.
Summary:
Fixes #1214
Changes Made:
To elaborate on the issue, the preview blockquote does not render if there is any HTML element in the source string. This is because in that case, all closing bracket
>
are changed to>
.To fix this, I remove the sanitation by DOMPurify. As mentioned in #1214, ngx-markdown sanitises content by default, hence there is no need to sanitise again using DOMPurify. Furthermore, DOMPurify does not consider markdown syntaxes in sanitation.
I have checked out the examples given by DOMPurify, malicious content are also removed with the sanitation from ngx-markdown. The following content:
is rendered as
Notice that the
script
and theiframe
tags are removed from the rendered HTML, and the broken tags are properly rendered.This closely matches the rendering on Github:
The only difference is that the sanitised strings are rendered as literal strings on Github, while removed in CATcher. However, given the purpose of CATcher, I believe there is no need for rendering malicious HTML elements as literal strings.
Proposed Commit Message: