New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML tags inside image alt shouldn't be parsed #896
Comments
As far as i remember, tags are parsed in alt, but ignored later for security reasons. |
Found a relevant discussion commonmark/commonmark-spec#716 but there is no resolution right now |
Let's close this as spec-related. When reference parser updates behaviour, that will be reflected here. |
The reference parser already has this behaviour as you showed in the dingus link |
Thanks for re-opening! |
Which reference parser? This is $ echo '![text <textarea> text](image.png)' | /home/user/commonmark.js/bin/commonmark
<p><img src="image.png" alt="text <textarea> text" /></p> This is $ echo '![text <textarea> text](image.png)' | /home/user/cmark/build/src/cmark
<p><img src="image.png" alt="text <textarea> text" /></p> This is $ echo '![text <textarea> text](image.png)' | /home/user/.local/bin/commonmark
<p><img src="image.png" alt="text text" /></p> This behavior is absolutely trivial to fix, but maybe people should first agree on how to fix it. |
This is pending too long. Need to decide something Line 301 in 13829a2
Could you suggest short and verbose option name? Something like |
Just to be clear, it seems to me that of the options above, "text <textarea> text" is the least surprising result (and therefore the best choice in my mind). Is that what you are suggesting to make the default? |
My proposal is to disable HTML in image attrs by default (except commonmark mode). So, by default |
Solved in master |
http://markdown-it.github.io/#md3=%7B%22source%22%3A%22%23%20Issue%20579%5Cn%5Cn!%5Btext%20%3Ctextarea%3E%20text%5D%28image.png%29%5Cn%22%2C%22defaults%22%3A%7B%22html%22%3Atrue%2C%22xhtmlOut%22%3Afalse%2C%22breaks%22%3Afalse%2C%22langPrefix%22%3A%22language-%22%2C%22linkify%22%3Atrue%2C%22typographer%22%3Atrue%2C%22_highlight%22%3Atrue%2C%22_strict%22%3Afalse%2C%22_view%22%3A%22src%22%7D%7D
Currently, any HTML tags are swallowed. The spec is a little light https://spec.commonmark.org/0.30/#images but recommends that the string not be parsed.
See how GitHub will render the raw string:
Ref DavidAnson/markdownlint#579
The text was updated successfully, but these errors were encountered: