External markup renderer doesn't show any embedded images

[kzfm]

• Gitea version (or commit ref): 1.3
• Git version: Not relevant
• Operating system: Not relevant
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

I added some option into my app.ini.

[markup.ipynb]
ENABLED = true
FILE_EXTENSIONS = .ipynb
RENDER_COMMAND ="jupyter nbconvert --stdin --stdout --to html"
IS_INPUT_FILE = false

Now, converting from ipynb to html works, but it doesn’t show any embedded images.

my jupyter notebook example code is here.

%matplotlib inline
import matplotlib.pyplot as plt
import numpy as np
x = np.linspace(0, 10, 100)
y = np.sin(x)
plt.plot(x, y);

...

Screenshots

[lunny]

Any repository example on github?

[kzfm]

I created a repo.

[lunny]

Some tags maybe has been removed for safety.

[lunny]

This is because the render generated <html> tag but gitea will ignore that and sub tags.

[memetb]

I'm not clear why there's a need to use jupyter at all. gogs is able to preview these files just fine without having to re-render them (which can be unsafe and time costly). Is there a reason why this feature was lost?

[ivoszz]

Same problem for asciidoc. The rendered path for images has the form "https://name.domain/user/repo/src/branch/master/file.png instead of correct "https://name.domain/user/repo/raw/branch/master/file.png.

[lunny]

@ivoszz your issue is different from this one, maybe you could fire another one.

[pavilo]

It looks like the root cause for this is in the sanitizer. It removes a lot of things, such as inline (incl scoped) CSS, images with data URIs, iframes etc. Is it possible to add an external sanitization configuration per markup handler?
To make something meaningful our of the external markup renderer one may have to use things like scoped CSS, images (both data URI and links to raw project resources) and unfortunately sometimes also javascript (e.g. MathJax, jupyter widgets etc). In extreme cases an iframe may be required too.

This configuration mostly works for a jupyter notebook with python code and embedded images:

sanitizer.policy.AllowImages()
sanitizer.policy.AllowDataURIImages()
sanitizer.policy.AllowLists()
sanitizer.policy.AllowTables()
sanitizer.policy.AllowAttrs("class").Globally() // may targeted at concrete elements e.g. div, span, a, h1 ...
sanitizer.policy.AllowAttrs("type", "scoped").OnElements("style")

[bekker]

I'm not sure it's exactly the same issue, but <img> tags with relative image path in .md files needs to be switched to 'raw' path, like github and gogs handle them.

[programagor]

@pavilo Does that mean that I'd need to recompile Gitea with the modified sanitizer.go in order to display Jupyter notebooks? Is it possible to expose these settings in app.ini instead?

[Tdarnell]

I have also run into this issue and would second disabling certain sanitiser settings in the markdown.jupyter section of app.ini

[pavilo]

@programagor - yes, recompilation may be needed. Moreover, I only tested this config as a standalone golang executable, to make sure that the jupyter page renders as expected. The integration into gitea may require additional modifications.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[worthy7]

Hi, This is a problem. I created images in my markdown file like this :

![vs-install](./doc/markdown-images/install.png)

And on my local machine using VS, markdown preview extension it can see them fine.

When uploaded to gitea, it is trying to render this:
http://localhost:3000/Me/MyProject/media/branch/master/doc/markdown-images/install.png

Which gives a 404.

As you can see, the problem is that it is ignoring subfolders doc/markdown-images/

[worthy7]

Ok, the problem it is needed to be like this:

1. remove the ./ from the beginning
2. use CAPS file extensions

![vs-install](doc/markdown-images/install.PNG)

[eapetitfils]

@worthy7 Yes, that's what I thought. This bug is about images that are embedded in the HTML since images do not exist as a separate file. For markdown, this was an issue with path only.

For this particular bug, the solution is trivial but imply some security questions. I could not find any credible exploit possible, but I am no security expert, are we happy if I modify it and do a pull request so that this can be discussed there instead of pushing the milestone here?

[worthy7]

@eapetitfils Ah sorry, didn't mean to issue hijack.
I'm not sure what bug you are referring to in your second paragraph there, mine, or this issue3025

[eapetitfils]

@worthy7 no problem, at least the next person wondering why the images are not shown will see your answer.

The bug (or undesired feature as a matter of fact) I am referring to is this issue3025, not the markdown one.

[limenleap]

I got kind of a workaround. Not a good solution, but a workaround:

It looks to me that the sanitizer does not disturb a div tag with an ID.

So in Windows I wrote a batch file which just echoed that div thus:

@echo ^<div id='splview-%1' ^>Click here to view this file^</div^>

In the above statement %1 is the name of the temporary file that Gitea creates just before executing this batch file. (In Linux bash script, I think the parameter is $1 )

Now, before echoing out that statement, I of course did all the work (shhh...dont tell Gitea) and saved the converted HTML file somewhere else

Then in the custom template at custom\templates\custom\footer.tmpl at the Gitea executable folder; I wrote this script block

$('div[id^="splview-"]').click(function () {
    alert($(this).attr('id'));  
  //Instead of alerting... you should parse the id and
 //do whatever else that is needed to display the freshly constructed html
});

In my case, I am over-writing just one HTML file so for each file that uses this route, the eventual batch file generated HTML would be the same file (i.e. it is overwritten) -- at least that is what I plan to do.

I have reached till here -- now I need to write the code for popping up a separate window to display that batch file generated HTML ....

Note:
I had ensured that the custom/conf/app.ini file was configured to execute that batch file, as the external renderer, for the given filetype

Hope this works out. Fingers crossed

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[entron]

Same problem here. Any updates on this issue?

[mrsdizzie]

You can now exclude classes from the sanitizer for these cases, described with example here:

https://docs.gitea.io/en-us/external-renderers/#appini-file-configuration

Other issue of generated image paths have been fixed previously as well.

[entron]

@mrsdizzie Thanks for the update! Could you give an example for showing embeded plots in Jupyter notebooks? I couldn't find it in the documentation.