OpenCloud
/
element-web
mirror of https://github.com/vector-im/element-web
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix markdown escaping wrongly passing html through (#28363) 

* Fix markdown escaping wrongly passing html through

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Add comment

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

---------

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
pull/28375/head
Michael Telatynski 2024-11-04 11:31:44 +00:00 committed by GitHub
parent 1ccbdb21e9
commit 38e5eeea00
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Markdown.ts
View File

@ -383,6 +383,9 @@ export default class Markdown {
if (isMultiLine(node) && node.next) this.lit("\n\n");
};
return renderer.render(this.parsed);
// We inhibit the default escape function as we escape the entire output string to correctly handle backslashes
renderer.esc = (input: string) => input;
return escape(renderer.render(this.parsed));
}
}

16
test/unit-tests/editor/serialize-test.ts
View File

@ -9,7 +9,7 @@ Please see LICENSE files in the repository root for full details.
import { mocked } from "jest-mock";
import EditorModel from "../../../src/editor/model";
import { htmlSerializeIfNeeded } from "../../../src/editor/serialize";
import { htmlSerializeFromMdIfNeeded, htmlSerializeIfNeeded } from "../../../src/editor/serialize";
import { createPartCreator } from "./mock";
import { IConfigOptions } from "../../../src/IConfigOptions";
import SettingsStore from "../../../src/settings/SettingsStore";
@ -71,6 +71,12 @@ describe("editor/serialize", function () {
const html = htmlSerializeIfNeeded(model, {});
expect(html).toBe("*hello* world");
});
it("escaped markdown should not retain backslashes around other markdown", function () {
const pc = createPartCreator();
const model = new EditorModel([pc.plain("\\*hello\\* **world**")], pc);
const html = htmlSerializeIfNeeded(model, {});
expect(html).toBe("*hello* <strong>world</strong>");
});
it("escaped markdown should convert HTML entities", function () {
const pc = createPartCreator();
const model = new EditorModel([pc.plain("\\*hello\\* world < hey world!")], pc);
@ -153,6 +159,14 @@ describe("editor/serialize", function () {
const html = htmlSerializeIfNeeded(model, { forceHTML: true, useMarkdown: false });
expect(html).toBe("hello world");
});
it("should treat tags not in allowlist as plaintext", () => {
const html = htmlSerializeFromMdIfNeeded("<b>test</b>", {});
expect(html).toBeUndefined();
});
it("should treat tags not in allowlist as plaintext even if escaped", () => {
const html = htmlSerializeFromMdIfNeeded("\\<b>test</b>", {});
expect(html).toBe("&lt;b&gt;test&lt;/b&gt;");
});
});
describe("feature_latex_maths", () => {