search

marp-team / marp-core

The core of Marp converter
MIT License
775 stars 130 forks source link

Enable support for HTML code snippets by default #368

Closed Piwy-dev closed 6 months ago

Piwy-dev commented 6 months ago

Right now by default the option Enable HTML is set to false. I think it would be best to set it to true by default as many users will use HTML to enhance their presentation (images, styling...).

Also this force user to use the --html option when exporting their project witch can be confusing because ones could think this option is for building in html format not allowing html in the markdown. Having to Enable HTML option set on true by default would prevent this and would also prevent user having to research why there html content are not being displayed when rendering the exports.

An option --no-html could be added instead for users that don't want to render html content when exporting.

yhatt commented 6 months ago

Due to our stance on security, we have no plans to work for that.

Marp Core is designed as an open-ended library used by a wide range of developers. Thus, its default settings should offer maximum protection from security threats arising from Markdown content, such as <script> tags and on**** event attributes on any tags. This aligns with the philosophy of the markdown-it parser, which Marp and Marpit depend on.

Many people don't understand that markdown format does not care much about security. ...

  1. Don't enable HTML. Extend markup features with plugins. We think it's the best choice and use it by default.
    • That's ok for 99% of user needs.
    • Output will be safe without sanitizer.

https://github.com/markdown-it/markdown-it/blob/master/docs/security.md

However, it is a fact that enabling HTML tags has become a common practice across various Marp tools due to its convenience, despite the vulnerabilities to malicious Markdown + HTML.

We have already seen this as a problem. Marp Core has a long pinned issue #301, to collect a list of commonly used HTML tags and attributes from the Marp community.

We want to find out a default HTML safelist, that is suitable and secure for every Marp user. So we also want more feedbacks from much more users for #301. If the default HTML safelist was provided, most users would not need to enable HTML tags explicitly.

yhatt commented 5 months ago

FYI: If possible, tell us which HTML tags are you using in Marp slide to move things toward this issue. marp-team/marp#501

lucastho commented 4 months ago

I'm been trying to use "div" to make mermaid work in marp-core.