GFM HTML Support and Sanitization


#1

Hi,

Thanks @craftzdog for your work!

Just wanted to ask if Inkdrop could use the same markdown sanitisation as github flavoured markdown, which supports divs and tables and also style attributes aso.
See here sanitization_filter.rb (Link from this post)

It would be even cooler if inkdrop would allow <video />, <audio /> and <iframe /> as well! (to e.g. embed youtube videos or google maps iframes). This could also be a client configuration only to prevent attacks when publishing/sharing a note.

Let me know what you think.

Cheers!


#2

Hi andi,

Thank you for the suggestion.
I also want to allow some HTML tags because HTML support is a standard feature of Markdown.
However, there is a difficult problem in terms of implementation.
Inkdrop uses remark-react to render Markdown and it basically doesn’t allow any HTML.

…but each time I look into it and its dependencies, I understand them more deeply and now I think I found a solution with an internal hack.

As you mentioned, HTML should be strictly sanitized in shared notes. I would think basically it should follow GitHub’s sanitization rules. Here is a JSON port of it.


#3

Since Inkdrop is a personal note-taking app, HTML sanitization for notes would be not necessary because basically you are only a person who is able to see your notes, so HTML should be used at your own risk at all.
iframe could potentially break the app, for example, the app became not able to launch because of loading a malicious website. However it would less likely happen.


#4

Gotcha.


#5

Inline HTML is now supported from v3.22.0. Thanks!


#6

Ah wow, thanks for the really fast response and the update! :heart_eyes:

When I have some time I might create an editor plugin using https://jpuri.github.io/react-draft-wysiwyg/#/


#7

Glad to hear that!

That sounds nice, good luck with your wysiwyg markdown editor!