An unclosed, unescaped <script> tag in markdown should be rendered as text to match GH/GL behavior #2246
Comments
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
|
This issue is still very much alive: https://try.gitea.io/wyattoday/Test1234/src/branch/master/README.md |
techknowlogick
added
the
issue/confirmed
|
Should be closed, see https://try.gitea.io/wyattoday/Test1234/src/branch/master/README.md |
|
Still very broken. See : https://try.gitea.io/wyattoday/Test1234/raw/branch/master/README.md Notice how the lines after the <script> tag are not written out. The markdown renderer should remove malicious tags (expecially <script>) to match how other systems like Gitlab / Github render markdown. |
|
How would you suggest we do this? How should they be rendered? Please link to an actual example of how you expect it be rendered and explain your rules for how we are supposed to determine what was "supposed to inside" the unclosed tag that we need to sanitize away. Including what you do when the tag is closed. |
|
Script tags should be stripped completely. Or render them as text. Either way, the current markdown behavior of breaking after a tag it doesn't like isn't a good way to handle things. |
|
The script tag is stripped along with its contents. Script is a block level element so an unclosed script block contains everything after it. |
|
We ran into this issue in real life by writing documentation with <script> being written in some markdown documentation. We wanted it rendered as text. This is how it’s done on GitHub / Gitlab. (See 2 sentences back in this comment for how it’s just rendered as text, no backticks necessary. Just write it and the markdown renders it as text.) So, the ideal solution is to either strip it out correctly (I.e. if the tag is never closed, then loop back and assume it’s a standalone tag), or ideally match the behavior of GH/GL and render as text. What gittea does currently is the worst of both worlds (strips it and breaks the rest of the rendering). |
lunny
added
type/proposal
|
Then, I think the title should be changed to render script tag as text but not it's a break. |
wyattoday
changed the title
|
it appears that @wyattoday wants a completely different DOM to the way bluemonday creates it. They almost want the file to be passed through html tidy before sanitizing, I suspect however that regexp replacing |
Fix go-gitea#2246 Signed-off-by: Andrew Thornton <[email protected]>
generally, im voting to ignore these tags in markdown in the blob api:
this is useful to render html files as markdown in the blob api example:
both do it wrong. |
|
It's impossible to correctly support it by the current goldmark render used by Gitea, unless someone writes a special HTML tag parser for goldmark to handle "unclosed" tags. I believe writing |
|
And we can have a simple improvement to output the broken (unclosed) tags: Make markdown render match GitHub's behavior #34129 , it should be good enough for most cases, telling the writer that "you forgot to correctly close or escape the tags".
|
|
Hmm, good news, according to my test, I think the fix should almost behave the same as GitHub. So I think this issue could be closed as "completed" now. |
[x]):Description
An unclosed, unescaped <script> tag in markdown breaks all subsequent markdown rendering in gitea. The same problem does not effect more benign tags like
<strong>.Gitea should render the <script> tag "as is" (that is, the text, but not emitting the <script> HTML). That would match the behavior in github.
Here's the raw Markdown file: https://try.gitea.io/wyattoday/simple-respository/raw/new-feature-branch/BrokenRendering.md
Here's the broken rendering: https://try.gitea.io/wyattoday/simple-respository/src/new-feature-branch/BrokenRendering.md
Screenshots
The text was updated successfully, but these errors were encountered: