Fix a regression with the new Markdown HTML sanitizing code.
Review Request #11598 — Created April 18, 2021 and submitted
3.0.21 fixed a security vulnerability in Markdown links by bringing in
bleach
andbleach-allowlist
, the latter of which contained
pre-defined HTML tags and attributes that are allowed by Markdown
output.The list wasn't comprehensive enough, and it broke tables, code block
styling, and impacted emojis.We're no longer using
bleach-allowlist
, and instead are defining our
own list of tags and attributes we consider safe for our needs. Along
with this, we now have unit tests covering all the Markdown features
that are either standard or provided through extensions we enable,
helping ensure we don't regress in the future.
Unit tests passed.
Manually tested that all formerly-broken functionality has been restored.
Summary | ID |
---|---|
998677a45fb9f479765d3a0cb9c959ff7d8e676f |
Description | From | Last Updated |
---|---|---|
tfoot? |
david |
- Description:
-
~ 2.0.21 fixed a security vulnerability in Markdown links by bringing in
~ 3.0.21 fixed a security vulnerability in Markdown links by bringing in
bleach
andbleach-allowlist
, the latter of which containedpre-defined HTML tags and attributes that are allowed by Markdown output. The list wasn't comprehensive enough, and it broke tables, code block
styling, and impacted emojis. We're no longer using
bleach-allowlist
, and instead are defining ourown list of tags and attributes we consider safe for our needs. Along with this, we now have unit tests covering all the Markdown features that are either standard or provided through extensions we enable, helping ensure we don't regress in the future.