search

umbraco / Umbraco.Marketplace.Issues

Public issue tracker for Umbraco Marketplace
2 stars 0 forks source link

Allow simple HTML in Markdown #42

Closed abjerner closed 1 year ago

abjerner commented 1 year ago

Most places with Markdown support also support simple HTML in the Markdown. For instance, GitHub supports HTML images and links as well as a number of other elements.

But currently the Marketplace doesn't. I'd argue that the Marketplace should also support HTML elements like these that pose no security threat.

Examples:

https://marketplace.umbraco.com/package/flip.umbraco image

https://marketplace.umbraco.com/package/our.umbraco.extensions.search image

nathanwoulfe commented 1 year ago

The issue here lies somewhere between GitHub and NuGet - the example readmes are fine on GH, both display the rendered rather than raw HTML. However, the same readme files on NuGet do not render the HTML.

Can you guess where we source the readme? I'm no expect on the respective markdown parsers, but looks to me like NuGet doesn't trust any HTML, so encodes the strings.

Easiest solution here would be to update to use correct markdown, which would also have the benefit of fixing display on NuGet. We could in theory change the marketplace to read readme from GH rather than NuGet, but that would still leave broken readmes on NuGet.

If the package includes the umbraco-marketplace-readme.json file, inline HTML parses correctly (we handle the markdown parsing ourselves for this file).

Given that, the options are these:

Like I said above, we may be able to update how we manage the readme docs, which would remove the need for either of the above workarounds.

Pinging @AndyButland for his thoughts too.

abjerner commented 1 year ago

Not a big problem for me. I know that NuGet doesn't support HTML as GitHub does, so I've stopped using HTML for NuGet READMEs my self. I've just spotted a few other packages that still used HTML - eg. like yours and Callum's.

I would have assumed that you got the README from NuGet as Markdown and could convert it to HTML your self. If you get it as HTML instead, I can see why it may be a bit more difficult to do anything about.

nathanwoulfe commented 1 year ago

Comes from NuGet as converted HTML unfortunately. I guess we could get it from the project source (usually GitHub, but not always), similar to how we manage the umbraco-marketplace-readme file. Adds a bit more overhead to the import/sync tasks too.

I shouldn't have been lazy and used Markdown rather than pasting HTML into the readme...

AndyButland commented 1 year ago

Yes, I think we'll need to leave these as is unfortunately, and rely on package owners to hopefully clean-up - particularly as they see the same issue on NuGet too.

As we are getting the HTML from NuGet, and in these cases it is already encoded. I guess we could try to decode, but that perhaps leads to some XSS concerns, and even if we did the second example provided would still lead to a broken image.

abjerner commented 1 year ago

Not really a problem for me - I don't think I'm using HTML for any of my packages 😄

Just spotted this in a package from a guy named Nathan as well as @callumbwhyte's packages.