Raw HTML is Shown in Markdown Rendered Text
|Assignee:||Pavan Rikhi||% Done:|
|Target version:||v0.7.0 - Misc Pages & UI|
Elm 0.18's markdown module would not sanitize any html in a markdown block. The new 0.19 package does this by default, so things like the product/category descriptions are showing the raw HTML.
We can disable the sanitization with the
Markdown.toHtmlWith function, but should ensure the backend sanitizes these descriptions when they are saved to the database so malicious
<script> tags don't show up.
Or require rewriting descriptions without HTML when we migrate over? I think the only thing we do in HTML that markdown can't handle is red text. But we could add a "warningText" field or something to products that is shown in red above the rendered product descriptions.
[#1439] Properly Render HTML From Model Fields
Replace calls to the Markdown.toHtml function with a new Views.Utils
function, `rawHtml`, which uses the markdown package but disables it's
sanitization process. This allows rendering of the HTML in Product
names, Product/Category descriptions, & StaticPage contents.
Server-side sanitization for these fields will be added to the Admin
pages when they are implemented in a future version.