Summary

Fix a regression with the new Markdown HTML sanitizing code.

Review Request #11598 — Created April 18, 2021 and submitted April 18, 2021, 7:08 p.m.

Information

Owner

chipx86

Repository

Review Board

Branch

release-3.0.x

Bugs

Depends On

Reviewers

Groups

reviewboard

People

Description

3.0.21 fixed a security vulnerability in Markdown links by bringing in
bleach and bleach-allowlist, the latter of which contained
pre-defined HTML tags and attributes that are allowed by Markdown
output.

The list wasn't comprehensive enough, and it broke tables, code block
styling, and impacted emojis.

We're no longer using bleach-allowlist, and instead are defining our
own list of tags and attributes we consider safe for our needs. Along
with this, we now have unit tests covering all the Markdown features
that are either standard or provided through extensions we enable,
helping ensure we don't regress in the future.

Testing Done

Unit tests passed.

Manually tested that all formerly-broken functionality has been restored.

Commits

Summary	ID
Fix a regression with the new Markdown HTML sanitizing code. 2.0.21 fixed a security vulnerability in Markdown links by bringing in `bleach` and `bleach-allowlist`, the latter of which contained pre-defined HTML tags and attributes that are allowed by Markdown output. The list wasn't comprehensive enough, and it broke tables, code block styling, and impacted emojis. We're no longer using `bleach-allowlist`, and instead are defining our own list of tags and attributes we consider safe for our needs. Along with this, we now have unit tests covering all the Markdown features that are either standard or provided through extensions we enable, helping ensure we don't regress in the future.	998677a45fb9f479765d3a0cb9c959ff7d8e676f

Summary

Fix a regression with the new Markdown HTML sanitizing code.

2.0.21 fixed a security vulnerability in Markdown links by bringing in `bleach` and `bleach-allowlist`, the latter of which contained pre-defined HTML tags and attributes that are allowed by Markdown output. The list wasn't comprehensive enough, and it broke tables, code block styling, and impacted emojis. We're no longer using `bleach-allowlist`, and instead are defining our own list of tags and attributes we consider safe for our needs. Along with this, we now have unit tests covering all the Markdown features that are either standard or provided through extensions we enable, helping ensure we don't regress in the future.

998677a45fb9f479765d3a0cb9c959ff7d8e676f

Issues

Description	From	Last Updated
tfoot?	david	April 18, 2021, 7:08 p.m.

flake8 passed.

JSHint passed.

Description:: ~
2.0.21 fixed a security vulnerability in Markdown links by bringing in
~
3.0.21 fixed a security vulnerability in Markdown links by bringing in
bleach and bleach-allowlist, the latter of which contained
pre-defined HTML tags and attributes that are allowed by Markdown
output.

The list wasn't comprehensive enough, and it broke tables, code block
styling, and impacted emojis.

We're no longer using bleach-allowlist, and instead are defining our
own list of tags and attributes we consider safe for our needs. Along
with this, we now have unit tests covering all the Markdown features
that are either standard or provided through extensions we enable,
helping ensure we don't regress in the future.

Ship it!

reviewboard/reviews/markdown_utils.py (Diff revision 1)
The issue has been resolved. Show all issues
```
tfoot?
```
1. chipx86 April 18, 2021, 7:07 p.m.
  Markdown tables don't use tfoot, but I'll include it anyway.

Status:: Completed
Change Summary:: Pushed to release-3.0.x (490a4b9)

~		2.0.21 fixed a security vulnerability in Markdown links by bringing in
	~	3.0.21 fixed a security vulnerability in Markdown links by bringing in
		`bleach` and `bleach-allowlist`, the latter of which contained
		pre-defined HTML tags and attributes that are allowed by Markdown
		output.

		The list wasn't comprehensive enough, and it broke tables, code block
		styling, and impacted emojis.

		We're no longer using `bleach-allowlist`, and instead are defining our
		own list of tags and attributes we consider safe for our needs. Along
		with this, we now have unit tests covering all the Markdown features
		that are either standard or provided through extensions we enable,
		helping ensure we don't regress in the future.