utils/html: Provide full control of allowed HTML elements via the configuration file #1007
Conversation
pkvach
changed the title
pkvach
force-pushed
the
fix/remove-hardcoded-allowed-elements-attributes
branch
from
b2136e1
to
fd92ccb
Compare
pkvach
changed the title
pkvach
force-pushed
the
fix/remove-hardcoded-allowed-elements-attributes
branch
from
fd92ccb
to
5cd17a7
Compare
There was a problem hiding this comment.
Thank you for tackling this. I will write my more detailed thoughts on this down later.
For now:
- Keep in mind that this is a massive footgun for people who used this feature as intended and now all their styling is gone.
- The whole markdown rendering configuration is extremely un-intuitive and error prone. We essentially only pass through tunables to
misakaandbleachinstead of providing the admin with sane options. - People expecting GitHub-flavored Markdown (GHFM) to just work are massively let down.
…utes These changes provide full control over the management of "allowed-elements" and "allowed-attributes" through the configuration file. Fixes isso-comments#751
pkvach
force-pushed
the
fix/remove-hardcoded-allowed-elements-attributes
branch
from
5cd17a7
to
1cd4a0c
Compare
Thanks for the thoughtful feedback! I appreciate you taking the time to consider the impact on existing users. Backwards compatibility is a valid concern. If you have any ideas on how we might mitigate disruption or implement the changes more seamlessly, I'd be happy to hear them. |
My biggest concern with this particular PR would be users who have copied a sample config file a few years ago that contained I have a few ideas, none of them perfect:
The config parser silently merging the default config with a user-supplied one also doesn't make things easier here. As for general thoughts on our markdown rendering: Do we really want to make incremental improvements to this pile of hacks or would energy better be spent overhauling the thing and making it radically more user-friendly? I'm happy to review and merge PRs for incremental fixes, but it feels more like treading water than tackling the real issue. Note also that both |
…ements-attributes # Conflicts: # CHANGES.rst
|
Thank you for your thoughts on this.
I've been thinking about that option as well, and I'm leaning more towards it. I will try to move in that direction. |
…ements-attributes # Conflicts: # CHANGES.rst
Added new configuration option "strictly-allowed-html-elements" to specify only allowed HTML tags in the generated output. Fixes isso-comments#751
pkvach
changed the title
|
Made changes to PR with alternative option: added new configuration option |
…ements-attributes # Conflicts: # CHANGES.rst
|
Hey @pkvach, your solution is well-written code-wise, but I still would like to receive some (more) input from actual users regarding their experiences and expectations with markdown/HTML allowlist handling. How do other commenting systems (Commento, Remark42, ...) handle element/attribute whitelisting, if at all? |
|
Thanks for the feedback, @ix5 . |
Checklist
CHANGES.rstbecause this is a user-facing change or an important bugfixWhat changes does this Pull Request introduce?
These changes provide full control over the management of
allowed-elementsandallowed-attributesthrough the configuration file.isso-dev.cfg,server-config.rst, andisso.cfg.test_html.pyto reflect the new configurable approach for allowed elements and attributes.Why is this necessary?
Fixes #751