Incomplete markdown rendering in clarification requests

[GBathie]

Hi! SWERC 2023-24 was this weekend, here is a minor issue that we encountered with DOMjudge.

Description of the problem

Some markdown elements such as quotes or inline code blocks are not rendered correctly, for example in clarification requests.

Your environment

DOMjudge 8.3.0DEV/5502c03cc

Steps to reproduce

• Log into DOMJudge with jury capabilities

• Go to the "clarifications" tab

• Click "send clarification"

• Enter the following markdown:

  
  *Italic*
  **Bold**
  `inline code`
  
  # Heading 1 
  ## Heading 2
  
  [Link](http://a.com) 
  
  ![Image](../../images/DOMjudgelogo.svg?v=8.3.0DEV/5502c03cc) 

• List e1

• List e2

1. list e1
2. list e2

---

code blocks

### Expected behaviour
Mardown elements are rendered correctly

### Actual behaviour
Blockquote, inline code and code blocks are note rendered properly

### Any other information that you want to share?
I suspect that the culprit is this  [this line](https://github.com/DOMjudge/domjudge/blob/5502c03cc880d8e5c6b0e570a7b875a07b1a2bf7/webapp/src/Controller/RootController.php#L54), where HTML escaping is done before rendering markdown, likely resulting in HTML special characters being replaced, erasing the markdown elements.

[nickygerritsen]

We recently added that line since we had an XSS attack vector. We will investigate if we can enable some of these elements somehow.

[nickygerritsen]

Turns out we needed to first run markdown, then sanitize instead of the other way around. I have added that to the above linked PR.