Closed fliiiix closed 10 months ago
I believe you're right, that should've emitted the HTML directly. I'll try to make some time this week to investigate the source—I'm not sure if it's this library here or a bug in https://github.com/kivikakk/comrak, which this gem wraps.
Of the top off my head, it almost looks like escape
is being incorrectly applied. You can either scrub HTML out (unsafe: false
), or, the HTML can be escaped:
irb(main):006:0> Commonmarker.to_html("<script>alert('test')</script>", options:{render: {escape:true}})
=> "<script>alert('test')</script>\n"
It seems as if the escaping is happening on the first tag char? (<
)
Less dangerous tags do not have this behavior:
irb(main):007:0> Commonmarker.to_html("<b>alert('test')</b>", options:{render: {unsafe:true}})
=> "<p><b>alert('test')</b></p>\n"
irb(main):008:0> Commonmarker.to_html("<b>alert('test')</b>", options:{render: {unsafe:false}})
=> "<p><!-- raw HTML omitted -->alert('test')<!-- raw HTML omitted --></p>\n"
I wasn't able to reproduce this issue with the comrak cli
~/.local/bin/comrak --unsafe test.md
<script>alert('test')</script>
~/.local/bin/comrak --unsafe --escape test.md
<script>alert('test')</script>
So maybe its just a lib problem or how the gem uses the lib.
But yeah it looks weird because it only escapes the first <
of script which makes no sense to me yet.
This is the tagfilter
extension from the GFM spec. Disable that and it should be as you expect.
Wow, TIL. Setting tagfilter: false
works as expected. Thanks @kivikakk 🙇♂️
just when i thought i had enough experience with markdown options i learn something new :partying_face:
buddy, same
Honestly, that "extension" might well be one of my least proud moments as a software engineer. Live and learn 😊
If i understand the spec correctly that should embed the script as plain html. (Im using commommarker 1.0.0.pre10)
Is that a bug or is there a config option i missed to allow script tags to be rendered as html?