Export to HTML removes 'controls' keyword

[markus-flicke]

In Caret I try to embed the following HTML:

<audio controls>
    <source src="audio.mp3" type="audio/mpeg">
</audio> 

And the HTML file I get from 'export to HTML' looks like this:

</style>
</head>
<body>
<audio>
<source type="audio/mpeg" src="audio.mp3">
</audio>
</body>
</html>

But I want it too look like this:

<audio controls>
<source src="audio.mp3" type="audio/mpeg">
</audio>

  Am I missing an obvious solution here? Any help would be appreciated

[astoilkov]

Hi Markus,

We use a sanitizer when converting Markdown to HTML. This is the reason for the behavior. We are not sure if it is a good idea to not sanitize the contents because this can open a security vulnerability.

[markus-flicke]

Thanks for your answer. Could you look into which tags should be permitted and which are harmless in your sanitisation process? It is not clear to me how the 'controls' tag would lead to security flaws.

[astoilkov]

We are using a sanitization library called DOMPurify which is massively popular and used by big businesses. I have written an issue in their system in order to ask them if they can change this behavior. You can look at it here.