hexylena
commented
1 year ago Unless we're careful about sanitising the resulting report (confusing for users), or using a separate domain for user generated content like this (completely unimplemented, with a long timeline), it potentially increases the attack surface considerably. Everyone would need to be careful when opening a workflow report from someone else.
If it's possible to enumerate which features? there's probably more interest in adding support for those useful subset, rather than allowing any html and the associated attacks possible with that.
kciy
wm75
nsoranzo
Using workflow reports makes sense with markdown to have headings and lists, but it could easily extended to allowing HTML as well. This would allow for custom elements, overview tables and more.
It could also help in some things mentioned in #11426
The markdown parser which is used (npm markdown-it) per default disables HTML usage.
Any opinions on this?