Sanitize only potential XSS HTML code, rather than all HTML on submit of edit page about raneto HOT 4 OPEN

You're right and that's a great suggestion.

The patch #370 was put out quickly
#381 is also related

Marking as a bug.
I have limited free time at the moment, but will make some time on the weekends.
PRs also welcomed if you have the time and interest.

#379 also mentions Blockquotes for reference

from raneto.

@Syndamia please check the latest main branch or newest NPM package v0.17.7 (should be published in 24 hours)
I loosened the aggressive sanitization because while security is good it's massively affecting the usability like you mentioned.

Related commit: 863aaf5

Opinion: Security good, but many users are not (hopefully) letting any public visitor edit. Only trusted members / employees / etc

from raneto.

Hello, I'm sorry for the very late response.

Inline HTML

All inline HTML still seems to get escaped. Definition lists seem to be completely unsupported (before I think they were properly parsed and rendered while editing, but then didn't show up on a saved page).

Backticks & quoteblocks

Backticks and quoteblocks seem fixed.

Quotes in metadata

Quotes in metadata still cause issues. Quotes in Title will be saved as-is, while description will be surrounded with single quotes:

---
Title: Test "Number 4"
Description: '"Something important"'
---

This seems to cause issues for the UI, it looks as if any (single or double) quoted text in a metadata block is disregarded. The metadata fields of the aforementioned Markdown looks like this when editing:

P.S. On version 0.17.8 all pages disappear from the left "menu", even when I add a new page. No, they're not just hidden by the styling, the HTML for them doesn't even exist.
For this reason, all testing was done on 0.17.7

from raneto.

Thank you for the detailed update!
I'll look further into this. Seems like the foundation needs a rework, it has been well over 10 years and can use some attention.

from raneto.