Comments (9)
ChristianMurphy
commented on July 22, 2024
1
Welcome @radarfox! π
I'm open to the idea, but am interested in further discussing alternatives first.
For example remark-rehype supports changing or not setting the clobberPrefix https://github.com/remarkjs/remark-rehype#options
Would it make more sense to ask it to not set the prefix there, rather than either:
- doing, undoing, then redoing the prefix
- adding conditionals everywhere to check if it has already been applied
Thoughts?
from hast-util-sanitize.
radarfox
commented on July 22, 2024
No, that wouldn't work, as I have mentioned in the issue description:
When the clobber prefix is NOT set in remark-rehype and the sanitize plugin is applied, then footnotes are broken, because IDs are correctly set to user-content-foo, but links are unprefixed e.g. foo.
from hast-util-sanitize.
radarfox
commented on July 22, 2024
adding conditionals everywhere to check if it has already been applied
This solution gives the most sense to me. It shouldn't be a performance problem. It will be checked as the last thing, so it will be invoked only for id and name attributes. Checking the constant length prefix shouldn't be a problem. For most values the first letter won't match and the startsWith will return false.
But I'm not insisting on this solution. If you manage to come up with some better one, that would work with enabled clobber prefix, I would be happy to use it.
from hast-util-sanitize.
ChristianMurphy
commented on July 22, 2024
I'm hotfixing this by adding another plugin
Unified does like small modular plugins π
This solution gives the most sense to me. It shouldn't be a performance problem. It will be checked as the last thing, so it will be invoked only for id and name attributes. Checking the constant length prefix shouldn't be a problem.
I'm not opposed, it does feel a bit strange.
Generally plugins aim to be loosely coupled, this feels like tighter coupling.
Though interested what other @syntax-tree/maintainers think.
from hast-util-sanitize.
wooorm
commented on July 22, 2024
No, that wouldn't work, as I have mentioned in the issue description:
When the clobber prefix is NOT set in remark-rehype and the sanitize plugin is applied, then footnotes are broken, because IDs are correctly set to user-content-foo, but links are unprefixed e.g. foo.
That is intentional. The behavior there is like that to make sure things work safely by default.
This project here intentionally only rewrites id and name. Leaving href untouched.
Then with some browser code, you can make pretty URLs work with safe markup: https://github.com/rehypejs/rehype-sanitize#example-headings-dom-clobbering.
Perhaps this can be better documented, that if you use this, you can pass clobberPrefix: '' to remark-rehype?
Coming back into this, what if a user has a heading βUser content 1β?
GitHub eventually ends up with
<h1 tabindex="-1" id="user-content-user-content-1" dir="auto"><a class="heading-link" href="#user-content-1">User content 1<svg β¦>β¦</svg></a></h1>Adding this feature might help you here, but it would break this case.
from hast-util-sanitize.
ben519
commented on July 22, 2024
Hit the same issue today.
@wooorm is the "pretty URLs" solution the only way to make this work? It feels like it adds a fair amount of complexity, particularly regarding where to inject the hash() function in my Next.js project. Also, the code uses setImmediate() which appears to be deprecated.
Note that someone else ran into this issue here.
Update
I was able to make the "pretty URLs" solution work with Next.js
from hast-util-sanitize.
wooorm
commented on July 22, 2024
That code shows what GitHub does. Instead of setImmediate, you can use requestIdleCallback, setTimeout, etc.
You can choose what to do. Whether you want pretty hashes or not. Whether you want safe hashes or not. Itβs all possible.
from hast-util-sanitize.
wooorm
commented on July 22, 2024
Closing due to unresolved issues pointed out in #29 (comment). The issue is also sidestepped when doing what GH does: prefix the IDs but leave the hrefs untouched and use client-side code to βlinkβ the two. I prefer that approach as it uses pretty URLs for users that share those URLs.
from hast-util-sanitize.
github-actions
commented on July 22, 2024
Hi! This was closed. Team: If this was fixed, please add phase/solved. Otherwise, please add one of the no/* labels.
from hast-util-sanitize.
Related Issues (13)
- Add support for allowing comments HOT 4
- Invalid extensions causes an exception HOT 3
- Update GitHub schema
- Allow all attributes of the specific tag HOT 4
- Github allows <li> without ancestors. HOT 4
- Add type definitions HOT 2
- Support for multiple allowed attributes HOT 3
- Provide way of *disallowing* certain values HOT 3
- Look at the sanitize api proposal HOT 3
- id property is always removed when using <h2> tag HOT 9
- GFM footnotes HOT 3
- Support for allowing raw nodes to remain? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hast-util-sanitize.