Suggestion: add more tags to the sanitization filter
Closed this issue · 3 comments
I'd like to suggest adding a couple of HTML tags to the sanitization list:
button, input, fieldset, legend, textarea, select, option
The reason I'm stumbling over this is that I'm currently documenting a couple of features with new dialogs in a markdown file. Now, actual HTML fragments seem quite a nice way to make dialog wireframes (and can even be easily generated by ChatGPT), but, strangely, aren't rendered.
I do realize that you want to prevent functional forms in Markdown to prevent unintended security consequences. But inputs nor buttons don't do anything on their own if the form tag is missing, right?
What were the actual reasons those weren't whitelisted?
Thanks so much!
The first question I would ask is how are you initializing/consuming the pipeline? Because you can add any tag you want:
ALLOWLIST = SanitizationFilter::DEFAULT_CONFIG
ALLOWLIST[:elements] << ["button", "input"]
pipeline = HTMLPipeline.new \
text_filters: [
HTMLPipeline::MarkdownFilter,
],
convert_filter: [HTMLPipeline::ConvertFilter::MarkdownFilter.new],
sanitization_config: ALLOWLISTWould this work for you?
Well, my problem is that the github site itself swallows the tags I mentioned if I view a markdown in a project, like for instance https://github.com/ist-dresden/composum-chatgpt-integration/blob/develop/featurespecs/1ContentCreationDialog.md where I tried it. I was searching for a while that comes from, and found somewhere the hint that it comes down to that sanitization list I mentioned, which is used by github somewhere. I obviously cannot change how they do that, but perhaps we can tackle the problem at it's source. :-)
GitHub does not use this gem. Please open an issue with their Support team.