Fossil Forum

Allowed HTML in Markdown
Login

Allowed HTML in Markdown

Allowed HTML in Markdown

(1) By Joel Dueck (joeld) on 2022-05-23 17:45:46 [source]

I noticed I can’t use the abbr tag in my wiki pages:

AST

Fossil's Markdown page doesn’t say anything about some tags or attributes being allowed, it just says “Use HTML for advanced formatting such as forms.”

I guess my question is two-fold:

  1. Is it really necessary to whitelist HTML tags in wiki Markdown (as opposed to just the blacklisting that happens depending on the safe-html setting)? If so, could that list be updated to include all the obviously benign tags allowed by HTML5?
  2. Can the Markdown formatting docs be updated to reflect #1 above, whatever the answer is?

(2) By Stephan Beal (stephan) on 2022-05-23 18:01:49 in reply to 1 [link] [source]

“Use HTML for advanced formatting such as forms.”

It also says that you can use a <html>...</html> to emit the ... part verbatim. That might be a workaround....

AST

Hmm, nope. Ah, there it is in safe_html(). Yes, there is a whitelist in markdown because the forum uses markdown and we don't want people dumping STYLE or SCRIPT blocks into the forum (though the former was possible at one point). i'll get ABBR added to that.

(3) By Stephan Beal (stephan) on 2022-05-23 18:23:27 in reply to 1 [link] [source]

Can the Markdown formatting docs be updated to reflect #1 above, whatever the answer is?

The missing ABBR tag is now in trunk and the markdown help has been amended to refer to the safe-html setting which controls whether or not the whitelist is used.

(4) By John Rouillard (rouilj) on 2022-05-23 19:22:28 in reply to 3 [link] [source]

Could details and summary be added as well?

(5) By Stephan Beal (stephan) on 2022-05-23 19:35:20 in reply to 4 [link] [source]

Could details and summary be added as well?

i don't see why not, but that code first needs to be refactored to use an enum, because adding and manually renumbering the associated macros was a pain in the butt (the elements have to be in alphabetical order by tag name for a binary search to work). If you don't see this within a week or so please feel free to ping.

(6) By Joel Dueck (joeld) on 2022-05-23 20:10:23 in reply to 5 [link] [source]

Again, if you're going through this at all (thank you, by the way), it might make sense to just add all the (benign-enough) tags from the current HTML standard.

(7) By Joel Dueck (joeld) on 2022-05-23 20:21:01 in reply to 3 [link] [source]

In looking at the checkin and comparing the new entry for abbr with the existing one for the a element (line 286 of wikiformat.c), it seems like title is still not an allowed attribute for abbr. If so, that should change, because abbr has no functionality without a title attribute.

(I may be reading the code wrong, having no prior familiarity; if so, apologies!)

(8) By Stephan Beal (stephan) on 2022-05-23 20:38:56 in reply to 7 [link] [source]

If so, that should change, because abbr has no functionality without a title attribute.

i'll get that patched. If you have a list of "benign enough" tags, please post them. Digging through the HTML spec to find them isn't on my todo list this week ;).

(9) By Joel Dueck (joeld) on 2022-05-23 21:15:26 in reply to 8 [link] [source]

Thanks! I’ll try and work up a list of the set difference between the currently allowed tags and those included in the HTML5 spec, along with necessary attributes. It may not be for a few days, though.

(10) By Stephan Beal (stephan) on 2022-05-23 21:27:17 in reply to 9 [link] [source]

I’ll try and work up a list of the set difference between the currently allowed tags and those included in the HTML5 spec, along with necessary attributes. It may not be for a few days, though.

Great :). The ABBR.TITLE attribute has been added and the prerequisite refactoring has been done to make addition of the upcoming ones much easier.

(11) By John Rouillard (rouilj) on 2022-05-24 00:29:55 in reply to 10 [link] [source]

That's great. I tried to add details (with optional open attribute) and summary with class attribute to my own copy a while ago. I thought I got it right, but it didn't work. I didn't realize I had to alphabetize the list, that's probably why it failed.

Maybe with your changes I can add my own stuff as needed.

(12) By Stephan Beal (stephan) on 2022-05-24 00:40:37 in reply to 11 [link] [source]

I didn't realize I had to alphabetize the list

Not only does the aMarkup array need to be sorted by tag name, but the corresponding MARKUP_... entries in the markup_t enum (formerly macros) defined further up in the file have to be in the same order and each must increment by 1, starting at 0. There's a note to that effect in the docs for the enum, but it would be very easy to overlook.