`<input type=checkbox>` support

[rhysd]

I found remark compiler removes <input> of check list while transforming. I investigated and found that sanitize() did it. Then I finally found that <input> is lack in the tagNames list. So I added it to the list.

[wooorm]

I thought about this for a little while: first, sanitation is in place because plugins can do whatever to the HTML, unsafe stuff, and the like. I added GitHub’s sanitation: even though they don’t have plugins, they do have raw user input to clean.

GitHub cleans inputs in user input: <input type="text" value="foo">, which follows, is removed: . But they do allow it in task lists, as they generate it.

Here’s another example

* <input type="checkbox" class="task-list-item-checkbox" disabled=""> this has an HTML checkbox
* [ ]  this has a markdown checkbox

Yields:

• this has an HTML checkbox
• [ ] this has a markdown checkbox

So I’d rather not include it like this, as it would allow all input elements everywhere.

I can see two solutions:

a) Because remark is inherently different from GH, keep it like it currently is;

b) Specific edge-cases allowed in hast-util-sanitize, as they’re normal in markdown:

• codeLanguageClass (syntax class on code blocks)
• footnoteClass (class on a in sup)
• footnoteId (id on sup)
• taskListCheckbox (for this case)
• listStart (start on ol)

I’m not sure if these should be in this project though?

[rhysd]

Thank you for detailed explanation. I understood and agree that <input> should not be allowed simply :+1:

codeLanguageClass (syntax class on code blocks)

This is a GitHub Flavored Markdown extension. So if this is treated as special case, can we add below as a special case as well?

• <input> (type="checkbox")

[rhysd]

I resolved this by creating mu own schema and check <input> in other point. Thanks for review.

[domharrington]

If anyone comes across this issue in future, I managed to add support for <input>s only when they're children of <li>s like so:

const sanitizeSchema = require('hast-util-sanitize/lib/github.json');

sanitizeSchema.tagNames.push('input');
sanitizeSchema.ancestors['input'] = ['li'];

This adds support for them in github task lists, but strips them out from everywhere else.