-
-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: add more tags to the sanitization filter #378
Comments
The first question I would ask is how are you initializing/consuming the pipeline? Because you can add any tag you want: ALLOWLIST = SanitizationFilter::DEFAULT_CONFIG
ALLOWLIST[:elements] << ["button", "input"]
pipeline = HTMLPipeline.new \
text_filters: [
HTMLPipeline::MarkdownFilter,
],
convert_filter: [HTMLPipeline::ConvertFilter::MarkdownFilter.new],
sanitization_config: ALLOWLIST Would this work for you? |
Well, my problem is that the github site itself swallows the tags I mentioned if I view a markdown in a project, like for instance https://github.com/ist-dresden/composum-chatgpt-integration/blob/develop/featurespecs/1ContentCreationDialog.md where I tried it. I was searching for a while that comes from, and found somewhere the hint that it comes down to that sanitization list I mentioned, which is used by github somewhere. I obviously cannot change how they do that, but perhaps we can tackle the problem at it's source. :-) |
GitHub does not use this gem. Please open an issue with their Support team. |
I'd like to suggest adding a couple of HTML tags to the sanitization list:
button, input, fieldset, legend, textarea, select, option
The reason I'm stumbling over this is that I'm currently documenting a couple of features with new dialogs in a markdown file. Now, actual HTML fragments seem quite a nice way to make dialog wireframes (and can even be easily generated by ChatGPT), but, strangely, aren't rendered.
I do realize that you want to prevent functional forms in Markdown to prevent unintended security consequences. But inputs nor buttons don't do anything on their own if the form tag is missing, right?
What were the actual reasons those weren't whitelisted?
Thanks so much!
The text was updated successfully, but these errors were encountered: