HTML tags inside image alt shouldn't be parsed

[nschonni]

http://markdown-it.github.io/#md3=%7B%22source%22%3A%22%23%20Issue%20579%5Cn%5Cn!%5Btext%20%3Ctextarea%3E%20text%5D%28image.png%29%5Cn%22%2C%22defaults%22%3A%7B%22html%22%3Atrue%2C%22xhtmlOut%22%3Afalse%2C%22breaks%22%3Afalse%2C%22langPrefix%22%3A%22language-%22%2C%22linkify%22%3Atrue%2C%22typographer%22%3Atrue%2C%22_highlight%22%3Atrue%2C%22_strict%22%3Afalse%2C%22_view%22%3A%22src%22%7D%7D

Currently, any HTML tags are swallowed. The spec is a little light https://spec.commonmark.org/0.30/#images but recommends that the string not be parsed.

See how GitHub will render the raw string:

Ref DavidAnson/markdownlint#579

[puzrin]

CM Dingus https://spec.commonmark.org/dingus/?text=%23%20Issue%20579%0A%0A!%5Btext%20%3Ctextarea%3E%20text%5D(image.png)%0A

As far as i remember, tags are parsed in alt, but ignored later for security reasons.

[nschonni]

Found a relevant discussion commonmark/commonmark-spec#716 but there is no resolution right now

[puzrin]

Let's close this as spec-related. When reference parser updates behaviour, that will be reflected here.

[nschonni]

The reference parser already has this behaviour as you showed in the dingus link

[nschonni]

Thanks for re-opening!
It is definitely under-speced, but one where this is doing something different than remark, so there are conflicts between Prettier (that uses remark) and Markdownlint that uses this library

[rlidwka]

The reference parser already has this behaviour as you showed in the dingus link

Which reference parser?

This is commonmark.js (javascript):

$ echo '![text <textarea> text](image.png)' | /home/user/commonmark.js/bin/commonmark
<p><img src="image.png" alt="text <textarea> text" /></p>

This is cmark (C):

$ echo '![text <textarea> text](image.png)' | /home/user/cmark/build/src/cmark
<p><img src="image.png" alt="text &lt;textarea&gt; text" /></p>

This is commonmark-hs (haskell):

$ echo '![text <textarea> text](image.png)' | /home/user/.local/bin/commonmark
<p><img src="image.png" alt="text  text" /></p>

This behavior is absolutely trivial to fix, but maybe people should first agree on how to fix it.

[puzrin]

This is pending too long. Need to decide something

markdown-it/lib/renderer.js

Line 301 in 13829a2

} else if (tokens[i].type === 'image') {

- blocking this feature via renderer patch is quite easy. But I agree, such behaviour can be very unexpected for ordinary use. Probably, it would be better add option and disable that by default.

Could you suggest short and verbose option name? Something like imageAttrHtml but more pretty.

[DavidAnson]

Just to be clear, it seems to me that of the options above, "text <textarea> text" is the least surprising result (and therefore the best choice in my mind). Is that what you are suggesting to make the default?

[puzrin]

My proposal is to disable HTML in image attrs by default (except commonmark mode). So, by default < and > in text <textarea> text will be escaped.

[puzrin]

Solved in master