Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove source element as HTML block start condition #710

Merged
merged 1 commit into from
May 17, 2022

Conversation

lumaxis
Copy link
Contributor

@lumaxis lumaxis commented May 17, 2022

Following up on a conversation on talk.commonmark.org, I'm proposing to update the spec to remove the source element as a start condition for HTML blocks.

During my research, I could not find any supporting evidence that it should be starting an HTML block and the fact that it currently does is causing difficult issues when trying to render <video>, <audio>, or <picture> tags. More details are also in the linked discussion.

@lumaxis
Copy link
Contributor Author

lumaxis commented May 17, 2022

Side note, not sure if I should update the changelog file in my PR too or if that happens separately?

@wooorm
Copy link
Contributor

wooorm commented May 17, 2022

Wouldn’t Condition 7 (https://spec.commonmark.org/0.30/#html-blocks) still mess up the markup in the original question (note that “open tag” in CM includes self-closing aka “void” tags), defeating the purpose of this as a solution for it?

@lumaxis
Copy link
Contributor Author

lumaxis commented May 17, 2022

@wooorm That is indeed an interesting point and I agree that the spec could be read that way 🤔
It does seem though that applying the change from this PR to cmark does fix the behavior in the way we would want.

@jgm
Copy link
Member

jgm commented May 17, 2022

Condition 7 only kicks in for a complete tag on a line by itself. In the examples in the original discussion, the tag is not complete because it continues on the next line.

@wooorm
Copy link
Contributor

wooorm commented May 17, 2022

Hmm, I think it’s the interruption which Condition 7 doesn’t do:

All types of HTML blocks except type 7 may interrupt a paragraph. Blocks of type 7 may not interrupt a paragraph. (This restriction is intended to prevent unwanted interpretation of long tags inside a wrapped paragraph as starting HTML blocks.)

@jgm jgm merged commit 053924a into commonmark:master May 17, 2022
@lumaxis lumaxis deleted the remove-source-html-block-condition branch May 18, 2022 13:22
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Feb 6, 2023
pkgsrc change: remove pkglint warning.

0.29.0.gfm.1 (2021-09-14)

* Fixed denial of service bug in GFM's table extension per
  GHSA-7gc6-9qr5-hc85

0.29.0.gfm.2 (2021-09-16)

* Fixed issues with footnote rendering when used with the autolinker (#121),
  and when footnotes are adjacent (#139).

* We now allow footnotes to be referenced from inside a footnote definition,
  we use the footnote label for the fnref href text when rendering html, and
  we insert multiple backrefs when a footnote has been referenced multiple
  times (#229, #230)

* We added new data- attributes to footnote html rendering to make them
  easier to style (#234)

0.29.0.gfm.3 (2022-03-03)

* Fixed heap memory corruption vulnerabiliy via integer overflow per
  GHSA-mc3g-88wq-6f4x

0.29.0.gfm.4 (2022-05-31)

* Remove source from list of HTML block elements per
  commonmark/commonmark-spec#710

0.29.0.gfm.5 (2022-08-25)

* Added xmpp: and mailto: support to the autolink extension

0.29.0.gfm.6 (2022-09-15)

* Fixed polynomial time complexity DoS vulnerability in autolink extension
  per GHSA-cgh3-p57x-9q7q

0.29.0.gfm.7 (2023-01-23)

* Fixed CVE-2023-22486, a polynomial time complexity issue in cmark-gfm
  which may lead to unbounded resource exhaustion and subsequent denial of
  service.

* Fixed CVE-2023-22485, in which a crafted markdown document could trigger
  an out-of-bounds read in the validate_protocol function.

* Fixed CVE-2023-22484, a polynomial time complexity issue in cmark-gfm
  which may lead to unbounded resource exhaustion and subsequent denial of
  service.

* Fixed CVE-2023-22483, several polynomial time complexity issues in
  cmark-gfm which may lead to unbounded resource exhaustion and subsequent
  denial of service.

* We removed an unneeded .DS_Store file (#291)

* We added a test for domains with underscores and fix roundtrip behavior
  (#292)

* We now use an up-to-date clang-format (#294)

* We made a variety of implicit integer truncations explicit by moving to
  size_t as our standard size integer type (#302)

* We introduced a new flag mechanism that is used in cmark node state
  management, which requires clients call the cmark_init_standard_node_flags
  function at program startup (420c20a)

The security issues were reported and resolved by @kevinbackhouse and
@philipturnbull of the GitHub Security Lab

0.29.0.gfm.8 (2023-01-25)

* We restored backwards compatibility by deprecating the
  cmark_init_standard_node_flags() requirement, which is now a noop (#305)

* We added a quadratic complexity fuzzing target (#304)

0.29.0.gfm.9 Latest (2023-01-31)

Code was tidied:

* Use of a private header was cleaned up #248
* Man page was update #255
* Warnings for -Wstrict-prototypes were cleaned up #285
* We avoid header duplication #289

New functionality:

* We now store positioning info for url_match #201
* We now expose cmark_parent_footnote_def for non-C renderers #254
* Footnote aria-label text now reference the specific footnote backref, and
  we include a data-footnote-backref-idx attribute so the label can be
  internationalized in a downstream filter #307
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants