bast / cicero

:microphone: Serving presentation slides written in Markdown.
https://cicero.xyz
GNU Affero General Public License v3.0
55 stars 17 forks source link

Support user defined javascript and remark configuration #48

Closed mlouhivu closed 7 years ago

mlouhivu commented 7 years ago

Added support for custom remark configuration options and for adding user defined javascript before remark.create() is called, e.g. to add custom remark macros.

Used similar approach as with user defined CSS, so javascript / configuration options are read from files with the same base as the markdown content:

In addition, to fix mangling of e.g. quotation marks in user defined CSS, added Markup() to disable autoescaping of the CSS file content.

bast commented 7 years ago

Awesome! Thank you! I will review it ASAP and give feedback. I was in fact considering adding support for custom JS but I have hesitated for security reasons since then one can ship basically any JS code to the readers. We need to carefully check whether this can be a problem.

mlouhivu commented 7 years ago

True. If only rendering your own content, it should be okay, but you are right that it allows one to include any javascript code.

Maybe one should give the reader the option to enable/disable it when rendering non-local files?

bast commented 7 years ago

I agree that for local files it should be fine. I need to think a bit about remote files. Arbitrary JS code is then possible. I wonder whether one could do harm even though there is https://en.wikipedia.org/wiki/Same-origin_policy. If we allow any JS we give people the possibility to serve any JS code behind cicero.xyz. I need to sleep on it but feel that this could become problematic.

bast commented 7 years ago

Sorry for the very late feedback. I will now integrate your changes but for the moment will disable the JS import for remote serving. I need to be sure that there is no risk before enabling it and currently I am not sure. But your changes are too good to stall them longer.