marp-core icon indicating copy to clipboard operation
marp-core copied to clipboard

Published 20 hours ago verified publisher icon marp-team

Relax HTML allowlist

Open yhatt opened this issue 2 years ago • 4 comments

Marp Core's default HTML allowlist is only allowed <br> tag. It's definitely safe but but this default set is not matching with real use case. A lot of Marp users enjoy using custom HTML tags.

It is better to update default allowlist of HTML to include allowed elements in common Marp slides and Web services. e.g. <div>, <span>, and HTML elements that are converted by Markdown.

https://github.com/gjtorikian/html-pipeline/blob/HEAD/lib/html/pipeline/sanitization_filter.rb is mentioned as GitHub style sanitization from some famous Markdown parsers. (remark, marked-sanitizer-github)

yhatt avatar May 21 '22 15:05 yhatt

Could there be the chance to add the possibility for elements like <button>? For example I'm working on a presentation and would like to add some buttons to trigger different examples on the slides. In the VSC plugin, the HTML button is rendered but the action is blocked. I assume this is more of an "accident" than intentional behaviour - using Marp CLI to build it as html the button is not rendered, but shown as plaintext.

It's understandable that this would, of course, not work as PDF (or even PPTX, I don't want to imagine the hassle to get that working 😓), but in theory for HTML it should be very straight forward

RicardoMonteiroSimoes avatar Jan 30 '23 16:01 RicardoMonteiroSimoes

This proposal is not intended to allow any actions by embed JavaScript in HTML by default. So most of denied HTML elements and attributes in common Markdown parser, such as <button> element and onxxxxxx attributes, won't work in Marp by default, even if this issue had resolved.

You already should be able to unlock Marp's limitation for using HTML element like a <button>, without waiting a chance. If you've unlocked raw HTMLs in Marp tools you are using, Marp does not prevent running embedded scripts.

If you felt that Marp for VS Code extension had blocked JS actions, it's actually by VS Code itself, not by Marp. (Refer to VS Code documentation. You can disable it from an alert popup button or Markdown: Change preview security settings command)

For example, a following Marp Markdown is actually working in the preview provided by the extension with enabled HTML tags:

---
marp: true
---

# Hello

<button onclick="document.querySelector('h1').style.color = 'red';">Change heading color</button>

When using Marp CLI, you should explicitly enable raw HTML tags by adding --html option.

$ marp -h
...
Marp / Marpit Options:
      --html       Enable or disable HTML tags                         [boolean]

$ marp foobar.md --html

yhatt avatar Jan 30 '23 17:01 yhatt

Ah, must've misread the documentation then; was under the impression that flag was solely for the output format 😅 But yes, it can be a danger to allow anything to run. But this will allow some great integrations/effects, thank you!

RicardoMonteiroSimoes avatar Jan 30 '23 17:01 RicardoMonteiroSimoes

I would advocate for allowing <span> tags as then I can use different colors for different parts of the slide.

nikhilweee avatar May 04 '23 17:05 nikhilweee