Closed ThomasJunk closed 10 months ago
I have added this:
"notes" : [ {
"category" : "description",
"text" : "... <code onclick=\"alert('I was here!');\">Click me</code>"
} ],
Results in:
I don't think the HTML vetting is tough enough.
hmm... bummer...
I removed Svelte-Markdown
from the stack in fc2139a0c5e3f3e00a678ddc4eb5ccb9055b5dac
Seems the best solution for now.
On the development branch there is now another attempt. Commit https://github.com/csaf-poc/csaf_webview/commit/fd61465eea688a652560730e55b280f61ea9714b now uses marked.js and DOMPurify to produce a sanitized output.
This should be better.
The code eval is gone ... as it ist the markdown handling :-/
Edit: Ah! On the development branch is the new stuff.
development branch looks fine.
The inspector shows that there is no event tag generated which is fine. :-)
The question reamains how 'Github-flavoured' this markdown is.
The question reamains how 'Github-flavoured' this markdown is.
Somewhat "decent"... from what I found: https://github.com/markedjs/marked/discussions/1202#discussioncomment-4192078
With commit https://github.com/csaf-poc/csaf_webview/commit/98164a364544cac617222f37ae0ff5f0d912fee9 I added a visual clue that the content rendered is actually markdown.
It seems text fields are marked "markdown" even if they are just text without any markup. Like the descriptions of the CVEs in in https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2995.json . How do we determine which fields are markdown and which aren't?
The marking is a good start, can the gray box be placed to the lower right, inside the box? This way it is getting less in the way.
The marking is a good start, can the gray box be placed to the lower right, inside the box?
This should be possible.
How do we determine which fields are markdown and which aren't?
I think it's hard to determine whether or not a text field is plain text or actually markdown. You could have hyphens at the start of a line without it actually being "markdown" but of course can assume they're meant to be bullet points and render them as such.
In the meantime: May you test @JanHoefelmeyer ?
Testing: Looks the same for me
It seems we cannot reliably detect markdown (https://stackoverflow.com/a/24690466 hints how to calculate a likelyhood), so my suggestion is: we keep trying to render text and use a box. But we shall remove the "markdown" gray box, as it can be missleading.
shows the box but not the markdown hint.
In order to test this issue one has to check out the ui-refactoring
branch with latest commits.
Test successful, works as described in https://github.com/csaf-poc/csaf_webview/issues/32#issuecomment-1829523788
Commit f968cbee9136df03df0919ddcae2ad9373baef58 includes now the support for (github flavoured) Markdown. To test you could modify e.g. the
notes
of a document likeIt should render the
text
properly.Basically any
text
could now contain Markdown which would be rendered.This issue is open to test the behaviour.