pypa / readme_renderer

Safely render long_description/README files in Warehouse
Apache License 2.0
158 stars 88 forks source link

Bug: renderer excludes plain html from readme #180

Closed HaaLeo closed 3 years ago

HaaLeo commented 3 years ago

Description

on the pypa warehouse readme files which include plain HTML tags are not rendered correctly. The corresponding HTML section is just omitted. This was not the case a few weeks ago.

Expected Outcome

HTML tags of a readme are also rendered.

Actual Outcome

Plain HTML tags are omitted.

Example

The swarmlib project includes a plain paragraph <p></p> in its readme:

<p align="middle">
  <img src="https://raw.githubusercontent.com/HaaLeo/swarmlib/master/doc/light_mode.png" width="49%" />
  <img src="https://raw.githubusercontent.com/HaaLeo/swarmlib/master/doc/dark_mode.png" width="49%" /> 
</p>

But for the latest release the images are not shown correctly on the pypi homepage. For swarmlib==0.12.1 the images are shown correctly. However, for swarmlib==0.13.0 no images are rendered in the readme. Since swarmlib did not change this section of its readme between the last releases I think the readme_renderer causes this issue.

di commented 3 years ago

Looks like this is due to a change between cmarkgfm==0.4.2 and cmarkgfm==0.5.0, probably around it's "safe rendering" features.

I've rolled back the cmarkgfm dependency in https://github.com/pypa/warehouse/pull/8877 for now until we can determine exactly what needs updated.

(cc @theacodes)

di commented 3 years ago

Looks like it's this breaking change:

In version 0.4.0 and earlier, the default behavior is unsafe, as described above. In later versions, the default behavior is safe, and to render potentially unsafe HTML pass the CMARK_OPT_UNSAFE option.

di commented 3 years ago

I made the necessary updates in https://github.com/pypa/readme_renderer/pull/181, will release that tomorrow.

Talendar commented 3 years ago

I'm facing the same issue. On the previous releases of my project, all HTML tags were rendered properly. In my new release, however, all HTML tags were simply ignored (along with the content they were "tagging").

di commented 3 years ago

Hmm, looks like I never did make that release, and this bit us again when I forgot about this bug and updated cmarkgfm again. I've (again) rolled back the cmarkgfm dependency in https://github.com/pypa/warehouse/pull/9123 and will try to revisit this again soon.