Fix a regression with the new Markdown HTML sanitizing code.

Review Request #11598 — Created April 18, 2021 and submitted — Latest diff uploaded

Information

Review Board
release-3.0.x

Reviewers

3.0.21 fixed a security vulnerability in Markdown links by bringing in
bleach and bleach-allowlist, the latter of which contained
pre-defined HTML tags and attributes that are allowed by Markdown
output.

The list wasn't comprehensive enough, and it broke tables, code block
styling, and impacted emojis.

We're no longer using bleach-allowlist, and instead are defining our
own list of tags and attributes we consider safe for our needs. Along
with this, we now have unit tests covering all the Markdown features
that are either standard or provided through extensions we enable,
helping ensure we don't regress in the future.

Unit tests passed.

Manually tested that all formerly-broken functionality has been restored.

Commits

Files