-
Notifications
You must be signed in to change notification settings - Fork 743
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal for escaping within lexed content #1152
Conversation
Good point, we do depend on #1151. I will rebase once that is merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks and sounds fine from my perspective. I like that it is disabled by default. I'm interested in hearing from @stanhu on whether or how he thinks we might be able to utilize this in GitLab. If not, that's fine. It's still interesting for others.
I have rebased, and now I believe it's ready to merge pending yall's +1. |
I also added escape functionality to the CLI, which is where I confess I actually need it at this moment, for use in the TeX formatter I'm working on. |
Option in config.rb: activate :syntax, :escape => true This enables Rouge's Escape lexer (introduced in rouge-ruby/rouge#1152), which is useful for formatting/highlighting individual pieces of a code block. This lexer passes the contents of <! … !> sections unchanged as a raw value into the resulting HTML, effectively allowing you to add inline HTML formatting into a code block at arbitrary places. WARNING: As described in rouge-ruby/rouge#1152, this can be a major security risk if you don't control the input to the lexer. Don't enable this option for formatting e.g. user-generated content. Example Markdown (Kramdown): ~~~swift func add(_ x: Int, y: Int) -> Int { return <!<span style="text-decoration: underline;"> !>x + y<!</span>!> } ~~~
Option in config.rb: activate :syntax, :escape => true This enables Rouge's Escape lexer (introduced in rouge-ruby/rouge#1152), which is useful for formatting/highlighting individual pieces of a code block. This lexer passes the contents of <! … !> sections unchanged as a raw value into the resulting HTML, effectively allowing you to add inline HTML formatting into a code block at arbitrary places. WARNING: As described in rouge-ruby/rouge#1152, this can be a major security risk if you don't control the input to the lexer. Don't enable this option for formatting e.g. user-generated content. Example Markdown (Kramdown): ~~~swift func add(_ x: Int, y: Int) -> Int { return <!<span style="text-decoration: underline;"> !>x + y<!</span>!> } ~~~
We often receive requests to do things such as underline sections of code, or embed arbitrary html inside of highlighted content. This PR is a proposal to address such features, using a similar tactic as Pygments.
We provide a special
Escape
lexer, which is capable of taking user-defined escape delimiters (default<!
and!>
) and rendering their contents into theEscape
token (also from Pygments). In the HTML formatter (and potentially other formatters), we can allow theEscape
token to pass as a raw value.IMPORTANT
There is a major security concern with this feature: in some applications (such as Gitlab), an untrusted user will control all of the input text, the lexer choice, and the lexer options. We cannot allow such users to pass unescaped HTML into the output.
For this reason, escaping is disabled by default - the base
Formatter
class will filter allEscape
tokens and replace them withError
tokens before passing the token stream to thestream
method. In order to enable this feature, a user must explicitly callRouge::Formatter.enable_escape!
. It can also be enabled thread-locally withRouge::Formatter.with_escape { ... }
and explicitly disallowed withRouge::Formatter.disable_escape!
. I think this should have the correct secure defaults and extension opportunities for most applications, but I would appreciate additional security review.cc @stanhu