cms-dev
Show Markdown task statements in CWS
This ws previously requested in #859, but the discussion there got quite far off topic so i'm making a new issue for it.
I think Markdown would be quite reasonable for writing task statements. I also think some sort of math rendering would be useful. (initially i thought it was completely obvious that this is necessary, but thinking about it a bit more, it's possible to do quite a lot using just a serif italics font for variable names. so maybe it's not quite necessary? but i'd still prefer having it.)
My proposal would be to render task statements as markdown, and use KaTeX for rendering math. (there are other math-in-browser libraries, but i'm not aware of any that are better than katex.) The markdown parser needs to be aware of math syntax to some degree, to avoid interpreting the math syntax as markdown commands. It seems like the markdown-it-py parser we already use has a plugin for this. Then the markdown would be parsed server-side, like it currently is, and math would be rendered client-side by katex.
Some of the math-rendering libraries can apparently also be used server-side, but they all seem to be written in javascript so they would add nodejs as a dependency, which i don't think we'd want.
Another alternative would be to do everything client-side, including markdown. There are plenty of libraries for this. It would then make sense to use the same library for rendering announcements (which would allow removing the server-side dependency on markdown-it-py).
Also, there needs to be some way to include images in task statements. Is it enough to support data:image/png;base64, uris or should we allow uploading additional files for a statement?
I'm not entirely convinced we want markdown instead of arbitrary html (which can be generated by markdown at import time).
In #1352 you said you didn't want admins to be able to inject arbitrary html. Why is this situation different?
Though I think I agree it might be useful.
I think the important difference is that the HTML for a task statement can/should be sanitized, and we can afford the import process to take a bit longer and potentially require some manual editing of the html. This is not the case for questions.
On Mon, 14 Jul 2025, 14:04 p. randla, @.***> wrote:
prandla left a comment (cms-dev/cms#1463) https://github.com/cms-dev/cms/issues/1463#issuecomment-3069232599
In #1352 https://github.com/cms-dev/cms/issues/1352 you said you didn't want admins to be able to inject arbitrary html. Why is this situation different?
Though I think I agree it might be useful.
— Reply to this email directly, view it on GitHub https://github.com/cms-dev/cms/issues/1463#issuecomment-3069232599, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOPAIZYKALNZQ6B33L3PQT3IOMFNAVCNFSM6AAAAACBNW6FW6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTANRZGIZTENJZHE . You are receiving this because you commented.Message ID: @.***>
I have positive experience with the combination of client-side JS markdown-it with client-side KaTeX.
Pre-processing it to HTML is possible, but especially with KaTeX it's quite heavy-weight and you still have to upload custom stylesheets and fonts with the task.
Generally, I prefer consistency -- if we already use Markdown for questions and announcements, let's use it everywhere.
Also, there needs to be some way to include images in task statements. Is it enough to support
data:image/png;base64,uris or should we allow uploading additional files for a statement?
Using data: URLs for images looks ugly... could we generalize task attachments?
I have positive experience with the combination of client-side JS
markdown-itwith client-side KaTeX.Pre-processing it to HTML is possible, but especially with KaTeX it's quite heavy-weight and you still have to upload custom stylesheets and fonts with the task.
Generally, I prefer consistency -- if we already use Markdown for questions and announcements, let's use it everywhere.
I think forcing markdown is somewhat limiting for statements. I'd have that as an option, but not as the only option.
Okay, so what about two options: raw html or markdown (rendered client-side)? i don't think it'd be much harder to support than just markdown, and it'd give the flexibility to admins who want it.
I'm still unsure about the security implications of fully arbitrary html. if we ever allow admins with access to only some contests, then i think this might lead to compromising other admins (and if we also do the users+admins merge then that might lead to getting access to the rest of aws too). so basically, i think it'd be unlikely to lead to issues right now, but might be a problem for the future.
to mitigate it, we could use some html sanitizer, from a quick search i found bleach and ammonia. i suppose we could allow sanitized html by default, and add a cms.toml option to enable unsanitized html.