Fix a regression with the new Markdown HTML sanitizing code.

Review Request #11598 — Created April 18, 2021 and submitted

Information

Review Board
release-3.0.x

Reviewers

3.0.21 fixed a security vulnerability in Markdown links by bringing in
bleach and bleach-allowlist, the latter of which contained
pre-defined HTML tags and attributes that are allowed by Markdown
output.

The list wasn't comprehensive enough, and it broke tables, code block
styling, and impacted emojis.

We're no longer using bleach-allowlist, and instead are defining our
own list of tags and attributes we consider safe for our needs. Along
with this, we now have unit tests covering all the Markdown features
that are either standard or provided through extensions we enable,
helping ensure we don't regress in the future.

Unit tests passed.

Manually tested that all formerly-broken functionality has been restored.

Summary ID
Fix a regression with the new Markdown HTML sanitizing code.
2.0.21 fixed a security vulnerability in Markdown links by bringing in `bleach` and `bleach-allowlist`, the latter of which contained pre-defined HTML tags and attributes that are allowed by Markdown output. The list wasn't comprehensive enough, and it broke tables, code block styling, and impacted emojis. We're no longer using `bleach-allowlist`, and instead are defining our own list of tags and attributes we consider safe for our needs. Along with this, we now have unit tests covering all the Markdown features that are either standard or provided through extensions we enable, helping ensure we don't regress in the future.
998677a45fb9f479765d3a0cb9c959ff7d8e676f
Description From Last Updated

tfoot?

daviddavid
chipx86
david
  1. 
      
  2. reviewboard/reviews/markdown_utils.py (Diff revision 1)
     
     
     
     
    Show all issues

    tfoot?

    1. Markdown tables don't use tfoot, but I'll include it anyway.

  3. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-3.0.x (490a4b9)