Remove source element as HTML block start condition
#710
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Side note, not sure if I should update the changelog file in my PR too or if that happens separately? |
|
Wouldn’t Condition 7 (https://spec.commonmark.org/0.30/#html-blocks) still mess up the markup in the original question (note that “open tag” in CM includes self-closing aka “void” tags), defeating the purpose of this as a solution for it? |
|
@wooorm That is indeed an interesting point and I agree that the spec could be read that way 🤔 |
|
Condition 7 only kicks in for a complete tag on a line by itself. In the examples in the original discussion, the tag is not complete because it continues on the next line. |
|
Hmm, I think it’s the interruption which Condition 7 doesn’t do:
|
This was referenced May 18, 2022
wooorm
added a commit
to micromark/micromark
that referenced
this pull request
May 25, 2022
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Feb 6, 2023
pkgsrc change: remove pkglint warning. 0.29.0.gfm.1 (2021-09-14) * Fixed denial of service bug in GFM's table extension per GHSA-7gc6-9qr5-hc85 0.29.0.gfm.2 (2021-09-16) * Fixed issues with footnote rendering when used with the autolinker (#121), and when footnotes are adjacent (#139). * We now allow footnotes to be referenced from inside a footnote definition, we use the footnote label for the fnref href text when rendering html, and we insert multiple backrefs when a footnote has been referenced multiple times (#229, #230) * We added new data- attributes to footnote html rendering to make them easier to style (#234) 0.29.0.gfm.3 (2022-03-03) * Fixed heap memory corruption vulnerabiliy via integer overflow per GHSA-mc3g-88wq-6f4x 0.29.0.gfm.4 (2022-05-31) * Remove source from list of HTML block elements per commonmark/commonmark-spec#710 0.29.0.gfm.5 (2022-08-25) * Added xmpp: and mailto: support to the autolink extension 0.29.0.gfm.6 (2022-09-15) * Fixed polynomial time complexity DoS vulnerability in autolink extension per GHSA-cgh3-p57x-9q7q 0.29.0.gfm.7 (2023-01-23) * Fixed CVE-2023-22486, a polynomial time complexity issue in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service. * Fixed CVE-2023-22485, in which a crafted markdown document could trigger an out-of-bounds read in the validate_protocol function. * Fixed CVE-2023-22484, a polynomial time complexity issue in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service. * Fixed CVE-2023-22483, several polynomial time complexity issues in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service. * We removed an unneeded .DS_Store file (#291) * We added a test for domains with underscores and fix roundtrip behavior (#292) * We now use an up-to-date clang-format (#294) * We made a variety of implicit integer truncations explicit by moving to size_t as our standard size integer type (#302) * We introduced a new flag mechanism that is used in cmark node state management, which requires clients call the cmark_init_standard_node_flags function at program startup (420c20a) The security issues were reported and resolved by @kevinbackhouse and @philipturnbull of the GitHub Security Lab 0.29.0.gfm.8 (2023-01-25) * We restored backwards compatibility by deprecating the cmark_init_standard_node_flags() requirement, which is now a noop (#305) * We added a quadratic complexity fuzzing target (#304) 0.29.0.gfm.9 Latest (2023-01-31) Code was tidied: * Use of a private header was cleaned up #248 * Man page was update #255 * Warnings for -Wstrict-prototypes were cleaned up #285 * We avoid header duplication #289 New functionality: * We now store positioning info for url_match #201 * We now expose cmark_parent_footnote_def for non-C renderers #254 * Footnote aria-label text now reference the specific footnote backref, and we include a data-footnote-backref-idx attribute so the label can be internationalized in a downstream filter #307
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Following up on a conversation on talk.commonmark.org, I'm proposing to update the spec to remove the
sourceelement as a start condition for HTML blocks.During my research, I could not find any supporting evidence that it should be starting an HTML block and the fact that it currently does is causing difficult issues when trying to render
<video>,<audio>, or<picture>tags. More details are also in the linked discussion.