Closed mtlynch closed 3 days ago
@mtlynch ah yeah this makes sense, since that's a rich markdown input. Technically that's "correct" but realistically nobody is trying to write an input in a comment (as opposed to things like span
, ul
, b
, img
etc which should be treated as HTML). I should adjust the HTML sanitizer to have a stricter set of allowed elements.
Deploying a fix for this now.
I'm not sure if this works for any other HTML elements, but we discovered this by accident. If a CodeApprove comment includes
<input>
, CodeApprove renders an input element in the comment, which is unexpected. I was expecting to see it stay in text form because the discussion was about aninput
HTML element.The workaround is to backtick the
<input>
so that CodeApprove doesn't try to render it as HTML.