Incorrect preview in mardown editor for html blockcode

requarks / wiki

Wiki.js | A modern and powerful wiki app built on Node.js

https://js.wiki

GNU Affero General Public License v3.0

24.81k stars 2.74k forks source link

Incorrect preview in mardown editor for html blockcode #1179

Closed SharkProgramming closed 4 years ago

SharkProgramming commented 5 years ago

Describe the bug Incorrect preview in mardown editor for html blockcode or inline code

To Reproduce Steps to reproduce the behavior:

Go to New page
Choose Markdown Editor
Write HTML in inline code or block code with language html defined
See error

Expected behavior We have just to see the html like presented in the blockcode not the interpretation of the html

Screenshots issue

Error Message La ressource à l’adresse « http://192.168.8.86:1337/e/en/style.css » a été bloquée en raison d’un type MIME (« text/html ») incorrect (X-Content-Type-Options: nosniff).

Host Info (please complete the following information):

OS: Ubuntu 18.04.3
Wiki.js version: 2.0.0-rc.17
Database engine: MariaDB 10.3.18

dash00 commented 4 years ago

I have a similar example and actually I think this issue could lead to a security issue.

Some observations:

If I save the page the final rendering is fine.
If I remove the < and > characters, the preview in the editor is fine.
If I play with the editor and I use <h1> here is what happens:

Host info:

OS: Docker Container (Linux)
Wiki.js: 2.0.12
Database engine: PostgreSQL 9.6.15

changsijay commented 4 years ago

I found similar issue when toggling preview pane, which make the code block become bigger and shadowed font.

ccolella-mdc commented 4 years ago

I am having this issue as well.

samprince1991 commented 4 years ago

I am having the same issue as well.

Yivan commented 4 years ago

Same here, I just wanted to add linked task: https://github.com/Requarks/wiki/issues/1370

Yivan commented 4 years ago

@NGPixel I would like to add that it should be really prioritized please, because it can break totally the preview page, meaning we can no more preview at all.

Using this code:

<?php

include __DIR__ . "/../../../vendor/autoload.php"; // chemin à adapter selon l'emplacement du script

\Pimcore\Bootstrap::setProjectRoot();
\Pimcore\Bootstrap::bootstrap();

// On peut maintenant appeler les méthodes Pimcore

// On peut aussi paramétrer PHP
error_reporting(E_ALL); // on affiche même les erreurs de niveau notice
set_time_limit(0); // pas de limite de temps
ini_set('memory_limit', '2048M'); // on alloue davantage de mémoire

Lead to:

I hope it could really be fixed soon. As it is a core feature the preview mode and very helpfull.

Thanks a lot.

RichardD2 commented 4 years ago

I'm seeing something similar in v2.1.113, trying to add Razor code to a Markdown page. The preview shows the code perfectly, but the page itself doesn't.

Markdown:

Preview:

Rendered page:

RichardD2 commented 4 years ago

If I HTML-encode the HTML block in the Markdown, the preview shows the encoded value, but the page shows the correct value.

Markdown:

Preview:

Page:

NGPixel commented 4 years ago

Fixed by b529ad21c97a7093e9ecc35e2e72fb8148f0c9d0