codeapprove / feedback

Feedback for CodeApprove
0 stars 0 forks source link

CodeApprove renders input elements in comments #97

Closed mtlynch closed 3 days ago

mtlynch commented 1 year ago

I'm not sure if this works for any other HTML elements, but we discovered this by accident. If a CodeApprove comment includes <input>, CodeApprove renders an input element in the comment, which is unexpected. I was expecting to see it stay in text form because the discussion was about an input HTML element.

image

image

The workaround is to backtick the <input> so that CodeApprove doesn't try to render it as HTML.

samatcodeapprove commented 1 year ago

@mtlynch ah yeah this makes sense, since that's a rich markdown input. Technically that's "correct" but realistically nobody is trying to write an input in a comment (as opposed to things like span, ul, b, img etc which should be treated as HTML). I should adjust the HTML sanitizer to have a stricter set of allowed elements.

samatcodeapprove commented 3 days ago

Deploying a fix for this now.