HTML allowed in Markdown viewer

[klemay]

Discussed in Slack: https://hypothes-is.slack.com/archives/C07NXBDNW/p1571964864005600?thread_ts=1571960978.002500&cid=C07NXBDNW

[klemay]

From Slack: It seems that we rely on DOMPurify for sanitization, and I'm not finding an ALLOWED_TAGS list in our code, so this would require some research to figure out what gets through.

[robertknight]

We trust DOMPurify's default configuration, which allows most purely presentational elements (ie. those which don't trigger execution of code, loading of custom CSS or loading of embedded plugins or documents).

[klemay]

Looks like there's a demo we can play around with - might be worth looking into whether we can find a list somewhere though: https://cure53.de/purify

[judell]

There's a fairly straightforward way to test this. Make (or find) a chunk of HTML that uses every imaginable tag, put it into the annotation editor, and see what survives.

That would be really useful, actually.