Closed mlouhivu closed 7 years ago
bast
commented
7 years ago Awesome! Thank you! I will review it ASAP and give feedback. I was in fact considering adding support for custom JS but I have hesitated for security reasons since then one can ship basically any JS code to the readers. We need to carefully check whether this can be a problem.
mlouhivu
commented
7 years ago True. If only rendering your own content, it should be okay, but you are right that it allows one to include any javascript code.
Maybe one should give the reader the option to enable/disable it when rendering non-local files?
bast
commented
7 years ago I agree that for local files it should be fine. I need to think a bit about remote files. Arbitrary JS code is then possible. I wonder whether one could do harm even though there is https://en.wikipedia.org/wiki/Same-origin_policy. If we allow any JS we give people the possibility to serve any JS code behind cicero.xyz. I need to sleep on it but feel that this could become problematic.
bast
commented
7 years ago Sorry for the very late feedback. I will now integrate your changes but for the moment will disable the JS import for remote serving. I need to be sure that there is no risk before enabling it and currently I am not sure. But your changes are too good to stall them longer.
Added support for custom remark configuration options and for adding user defined javascript before
remark.create()is called, e.g. to add custom remark macros.Used similar approach as with user defined CSS, so javascript / configuration options are read from files with the same base as the markdown content:
In addition, to fix mangling of e.g. quotation marks in user defined CSS, added
Markup()to disable autoescaping of the CSS file content.