search

microsoft / sarif-sdk

.NET code and supporting files for working with the 'Static Analysis Results Interchange Format' (SARIF, see https://github.com/oasis-tcs/sarif-spec)
Other
195 stars 93 forks source link

[RULE REQUEST] Flag HTML in markdown #2532

Open michaelcfanning opened 2 years ago

michaelcfanning commented 2 years ago

The SARIF spec is quite clear that producers shouldn't emit HTML and that producers should be extremely wary of its inclusion.

Static Analysis Results Interchange Format (SARIF) Version 2.1.0 (oasis-open.org)

We should update our validator to raise an error on detecting any HTML constructs in markdown message properties.

@cfaucon

KalleOlaviNiemitalo commented 1 year ago

Don't flag escaped HTML though.

Use the \<kbd\> tag.

```HTML
<p>Press <kbd>Enter</kbd> when finished.</p>
michaelcfanning commented 1 year ago

Very good call-out.