search

marp-team / marp-core

The core of Marp converter
MIT License
766 stars 129 forks source link

Relax HTML allowlist #301

Open yhatt opened 2 years ago

yhatt commented 2 years ago

Marp Core's default HTML allowlist is only allowed <br> tag. It's definitely safe but but this default set is not matching with real use case. A lot of Marp users enjoy using custom HTML tags.

It is better to update default allowlist of HTML to include allowed elements in common Marp slides and Web services. e.g. <div>, <span>, and HTML elements that are converted by Markdown.

https://github.com/gjtorikian/html-pipeline/blob/HEAD/lib/html/pipeline/sanitization_filter.rb is mentioned as GitHub style sanitization from some famous Markdown parsers. (remark, marked-sanitizer-github)

RicardoMonteiroSimoes commented 1 year ago

Could there be the chance to add the possibility for elements like <button>? For example I'm working on a presentation and would like to add some buttons to trigger different examples on the slides. In the VSC plugin, the HTML button is rendered but the action is blocked. I assume this is more of an "accident" than intentional behaviour - using Marp CLI to build it as html the button is not rendered, but shown as plaintext.

It's understandable that this would, of course, not work as PDF (or even PPTX, I don't want to imagine the hassle to get that working 😓), but in theory for HTML it should be very straight forward

yhatt commented 1 year ago

This proposal is not intended to allow any actions by embed JavaScript in HTML by default. So most of denied HTML elements and attributes in common Markdown parser, such as <button> element and onxxxxxx attributes, won't work in Marp by default, even if this issue had resolved.

You already should be able to unlock Marp's limitation for using HTML element like a <button>, without waiting a chance. If you've unlocked raw HTMLs in Marp tools you are using, Marp does not prevent running embedded scripts.

If you felt that Marp for VS Code extension had blocked JS actions, it's actually by VS Code itself, not by Marp. (Refer to VS Code documentation. You can disable it from an alert popup button or Markdown: Change preview security settings command)

For example, a following Marp Markdown is actually working in the preview provided by the extension with enabled HTML tags:

---
marp: true
---

# Hello

<button onclick="document.querySelector('h1').style.color = 'red';">Change heading color</button>

When using Marp CLI, you should explicitly enable raw HTML tags by adding --html option.

$ marp -h
...
Marp / Marpit Options:
      --html       Enable or disable HTML tags                         [boolean]

$ marp foobar.md --html
RicardoMonteiroSimoes commented 1 year ago

Ah, must've misread the documentation then; was under the impression that flag was solely for the output format 😅 But yes, it can be a danger to allow anything to run. But this will allow some great integrations/effects, thank you!

nikhilweee commented 1 year ago

I would advocate for allowing <span> tags as then I can use different colors for different parts of the slide.