Fix handling of inline HTML

[maghoff]

Currently pulldown-cmark parses inline HTML as HTML (in adherence to the CommonMark spec). Sausagewiki takes this HTML and reframes it as text, because inline HTML is weird.

Instead, the parser should be configured not to look for HTML in the input.

[maghoff]

Forked and fixed in pulldown-cmark: https://github.com/maghoff/pulldown-cmark

Upstream pull request: https://github.com/google/pulldown-cmark/pull/103

[maghoff]

See https://github.com/maghoff/sausagewiki/compare/proper_html_handling for relevant local changes

[maghoff]

This has now been merged to master, so master depends on this fork: https://github.com/maghoff/pulldown-cmark

Keeping this issue open to track upstream development.

[notriddle]

Why are you trying to block inline HTML, instead of using a sanitizer pass like GitHub does?

• Inline HTML is a part of the CommonMark spec. If you allow none of it, then you're not compliant.
• CommonMark doesn't include all of the markup types that you probably want. For example, <del>strike through</del>
• pulldown-cmark is not designed to filter any untrusted data. In particular, it does nothing about untrusted URL schemes.

I kinda wrote an HTML sanitization library specifically because I have strong opinions on this matter:

[vi]

Are at least <!-- --> comments supported or also removed?

[maghoff]

@notriddle Thank you for bringing the security issue to my attention. The choice of markup language for the wiki is merely one of many design descisions that have gone into making Sausagewiki what it is. I find Markdown without HTML to be a good, simple markup language, while I do not find the same for Markdown with HTML. Simplicity has been a goal all along, Commonmark conformance not a goal. The alternative for Sausagewiki would not be Markdown with HTML, but rather another simple language altogether.

@vi You could try and see? ☺