Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTML lost in WYSIWYG mode #30

Closed
rhukster opened this issue Jan 10, 2018 · 9 comments
Closed

HTML lost in WYSIWYG mode #30

rhukster opened this issue Jan 10, 2018 · 9 comments

Comments

@rhukster
Copy link

I've been looking for a solid WYSIWYG markdown editor for some time, and Toast looks very promising! I've just been testing with the demo and noticed an issue with HTML in markdown. As you know putting HTML code in markdown is perfectly valid, and often is the only way to achieve something beyond the capabilities of markdown (adding a class or id for example). in the Markdown mode, things look ok:

# markdown

<div class="html">HTML</div>

**more markdown**

and renders in the preview fine (even with class="html" intact):

nhn entertainment 2018-01-10 12-31-42

However, switching to WYSIWYG mode and back to Markdown causes a loss of the HTML:

nhn entertainment 2018-01-10 12-32-32

It would be great (and much safer for users) if this could be maintained between modes.

@kyuwoo-choi
Copy link
Member

Yes putting html in MD is valid. But currently we have some rules sanitizing html tag except something like <span style="color~~~ > which is needed to color text while switching mode.
I'll discuss about this problem with our team members.

Thanks for the issue :)

@ViggoV
Copy link

ViggoV commented Jan 29, 2018

@kyuwoo-choi sorry if this is the wrong place to ask, but are these sanitizing rules documented somewhere? We are looking to use tui to update news on our website and are quite interested in knowing how html tags are treated, mainly in terms of vulnerabilities..

@kyuwoo-choi
Copy link
Member

@ViggoV Not at all. Any questions are welcome.
Check https://github.com/nhnent/tui.editor/blob/master/src/js/htmlSanitizer.js to see which rules are applied.

I think the rules are a bit defensive because we did not have enough time to make it fine grind.
It may be a good time / place to discuss.

@kyuwoo-choi
Copy link
Member

kyuwoo-choi commented Jan 29, 2018

In addition to the rules, we should consider the way html2md, md2html and how to treat the tags while editing tags in WYSIWYG mode.

@ViggoV
Copy link

ViggoV commented Jan 30, 2018

Thanks! I can't help but notice that you strip form, button, select and textarea but apparently not input.. Is that on purpose?

@kyuwoo-choi
Copy link
Member

@ViggoV Nothing I remember. I think I will investigate the commits. Thanks!

@cavo789
Copy link

cavo789 commented Jun 22, 2018

Hello

Same question and didn't find how to deal with it. Can somebody help please ?

I try to edit a file like, f.i.,

# TOC
<div>TEST</div>

The editor has removed the HTML tag so display :

# TOC
TEST

If I save that content, I'll lose my original content.

My problem : I'm using span, div, img and also my own tag called "" and I wish to be able to keep them in the editor.

Note : I didn't see any difference by setting useDefaultHTMLSanitizer to false in my constructor.

	var editor = new tui.Editor({
		...
		"useDefaultHTMLSanitizer": false
		...
	});

Thank you!

@cavo789
Copy link

cavo789 commented Jun 27, 2018

Hi all,

I've write a workaround to bypass my problem.

In my HTML content, I've escape tags : my #sourceMarkDown DOM element contains thus somethink like

&lt;encrypt&gt;MyPassword&lt;/encrypt&gt;

In JS, I've :

var editor = new tui.Editor({
    "el": document.querySelector('#editorMarkDown'),	
    "useDefaultHTMLSanitizer": false,	
    "events": {
        "load": fnPluginEditLoaded
     }
});

(not sure that useDefaultHTMLSanitizer is working, don't see the difference if enabled or not)

The fnPluginEditLoaded() function looks like this :

function fnPluginEditLoaded(editor) {
    var $MD = $('#sourceMarkDown').text();

    $MD = $MD
        .replace(/&lt;/g,'<')
        .replace(/&gt;/g,'>')
        .replace(/&amp;/g,'&');

    editor.setValue($MD);

    return true;
}

Not sure that it's the best way to achieve it but, ok, now, I can continue my migration.

Markdown files that have HTML tags in their content can be edited through tui.editor.

Thanks for this amazing tool (y)

@sohee-lee7
Copy link
Contributor

This issue is old and will be closed. If there is an issue again, please register as a new issue.

seonim-ryu pushed a commit that referenced this issue Feb 5, 2020
seonim-ryu added a commit that referenced this issue Feb 5, 2020
fix: change logic to escape emphasis characters (fix #30)
seonim-ryu pushed a commit that referenced this issue Feb 5, 2020
seonim-ryu added a commit that referenced this issue Feb 5, 2020
fix: change logic to escape emphasis characters (fix #30)
seonim-ryu added a commit that referenced this issue Feb 6, 2020
* Release v1.8.13

* Fix documentation error

* Update built version from latest source

* Release v1.8.14

* Make createRange method public

* Parse url and create anchor with queryparams

* Build lib

* Simplify regex for matching link query params

* Make check for link protocol case-insensitive

Resolves #308.

* Allow class names to be configured

* Add config.willCutCopy option

Is an optional function that transforms the HTML being cut/copied before
placing it on the clipboard.

* Make TreeWalker filter argument optional

* Make shift-enter always just add <br>

* Add support for <pre>/<code> formatting

* Convert adjacent space to nbsp when extracting range

This resolves the issue where if you selected a word and then typed to replace
it, the following space would be deleted as well.

Fixes #331

* Escape <a> on space even if in nested tags

Fixes #326

* Make detect-link regular expression customisable

Resolves #313

* Update readme

* Fix Kana-Kanji input on Mac Safari

Resolves #332

* Release v1.9.0

* fix: event.key does not supported IE

* Revert "Preserve block style if pasting on blank line"

This reverts commit 50fb7c7c53ccb9b9fe03866ac02416d4a6989e66.

* fix: merge td or tr when merge block and container (#1)

* fix: blocking when merge td with div

In tui.editor, when div is inserted using TextObject in the table,
TD is merge div. So should allow td merge other tags.

* fix: remove tag when pasting heading, list, blockquote (#2)

* fix: HR is set to inline element

HR is block element so HR is removed in inlineNodeNames and inserted in
allowedBlock.

* fix: fixcursor insert br into hr

* enhance: handle element that has contenteditable as falase (close: #7) (#8)

* Revert "enhance: handle element that has contenteditable as falase (close: #7) (#8)"

This reverts commit f164d13a40b6d2f1a664f3c941f94ed48451755d.

* fix: backspace/delete key remove contenteditable false block (fix: #7)

* fix: merge div that has contenteditable false (fix: #7)

* fix: focus() moves scroll position (fix: #1)

* fix: the <img /> tag is not considered when checking line breaks (fix #2) (#3)

* fix: setActive error, revert notWSTextNode

fix: setActive error, revert notWSTextNode

* fix: line break works correctly between <br> to <img> (fix #2) (#5)

* feat: add allowedBlocks option (close #6) (#7)

* Revert "feat: add allowedBlocks option (close #6) (#7)" (#8)

This reverts commit 154bd6a0c0707f46f2a2435d8886a9068b3930c3.

* feat: add allowedBlocks option (close #6) (#9)

* feat: add allowedBlocks option (close #6)

* feat: make build file

* 환경셋팅 저장

* change bower, package informations

* donRunner첫작업 완료 resolve #2

* 룰 적용 구조 작업 resolve #3

* 정리

* fixed render comma rule bug

* add getNodeText to domRunner

* basicRender Heading resolve #4

* 개행 프로세스 추가, css스타일의 셀렉터 필터 추가 resolve #6, #5

* 베이직 렌더러 - 링크 resolve #8

* 베이직 렌더러 - 이미지 resolve #7

* add list converter to renderer resolve #9

* 디펜던시 모듈들 업데이트

* change rule apply code

* nested li resolve #12

* separate test case for toMark, strong converter added resolve #15

* code converter resolve #13

* li-heading convert inline html

* add horizontal rule converter to renderer resolve #11

* add blockquote converter to renderer resolve #10

* code block converter resolve #14

* entry point filename change

* build test and create demo test page resolve #16

* string trim resolve #17

* stop track rule over html root, and some fixed #21

* renderer getConverter refactor resolved #23

* added trimming process to toDom #19

* markdown backslash escapes resolve #24

* 화이트 스페이스에 대한 처리 resolve #19

* Convert with dom node resolve #25

* dom demo page resolve #26

* ol li number increase for li count resolve #27

* etc

* add jsdoc resolve #31

* some fixed

* some fixed:

* refactor regex codes

* refactor regex codes 2

* apply code review resolve #33

* text node in code tag not escape resolve #34

* gfm code block resolve #30

* if rule converter returns falsy renderer.converter returns empty string resolve #36

* gfm checkbox resolve #28

* gfm table resolve #29

* gfm del resolve #37

* some fixed

* some fixed

* add options

* edit json files

* add some table related code and edit demo html file

* fixed problem in firefox

* some fix after ie test, some code refactor

* some code fixed

* some demo code fixed

* table header text fixed #46

* added space related codes resolve #51

* fixed p tags resolved #43

* b, s tag support resolve #48

* fix some tc

* amd considered entry point

* change p tag converter

* change connect port to 8081

* change p tag converter resolve #54

* some convertors returns fixed, non-standard tag converter fixed

* renderer.getSpaceControlled for non-standard inline tag

* collapse duplicated returns made by <br /> and block element fixed #57

* remove div converter

* some code fixed related <br> and return

* some fixed

* empty list resolve #58

* fixed gfm input code resolve #60

* some code fixed

* ready to bower

* v0.5.0

* some fixed from finalize code

* dist

* add code for empty inline element resolve #62

* build

* some fixed #62

* build

* some code fixed empty inline element related #62

* some code fixed

* p in p is not valid html

* fix empty p tag

* add testcase about empty p tag

* build

* some tc added, gfm br added

* build

* fix gfm br

* build

* process br in end of li

* add some tc

* build

* code fixed related p in li

* build process added, prepare bower publish

* change bower.json

* bower fixed

* escape text only contain markdown syntax resolve #63

* build

* finalize multiple empty line fixed #67

* empty list render fixed #65

* empty list render2 fixed #65

* build

* multiple block in p related #67

* build

* some code fixed related remove returns

* build

* enhance about return resolve #69, resolve #68

* finalize refactoring resolve #72

* remove unused codes

* build

* blockquote multiple br convert to one br

* build

* some code fixed

* build

* all backticks need escape resolve #74

* apply diferent syntax on strong and em resolve #64

* build

* control gfm block returns resolved #76

* build

* return outerHTML if there is no converter and ie7,8 tc enhance fixed #77, #78

* resolve some tc problem about pre-code in ie78 fixed #79

* build

* inline html should meged with subcontent resolve #80

* build

* remove td, th when they have not text content

* link enhanced about how to get href fixed #82

* build 0.0.1

* version 0.0.1

* dont remove empty td or th resolved #83

* inline tags need get space control with siblings

resolved #84

* some code fixed

* build 0.0.2

* preseve reurns in code block

* build

* release version 0.0.3

* escape markdown blockquote resolved #85

* tc fixed for cross browser test resolved #86

* build 0.0.4

* Apply inputless task resolved #90

* Add characters that should be escaped resolved #89, #88

* Should render link title attribute correctly fixed #87

* Enhance cross-browsing

* Update 0.0.5

* Update bower.json, package.json

* Enhance P in Lists fixed #92

* Package update & apply webpack fixed #92

* Update 0.0.6

* Add `-+` into list regexp fixes #98

* Modify _isNeedEscape() regexp related #98

* Merge pull request #97 from sungho-kim/vertical-bar-escape

Add vertical bar regexp for escape fixes #96

* Update 0.0.7

* Rebuild 0.0.7

* Fix T/C fail

* Merge pull request #100 from sungho-kim/task-convert

Empty task converting without text content

* Update 0.0.8

* Merge pull request #102 from junghwan-park/img-attr-path2

Preserve IMG element's relative path URI fixes #103

* Update 0.0.9

* Merge pull request #104 from sungho-kim/tomark-pass

Convert method returns plain HTML on specific attribute

* Update to 0.0.10

* feat: Renderer, basicRenderer and gfmRenderer are publicly available

* fix: Fix change for anchor href

* fix(escape): escape html in text node

#2

* fix: escape 3-tildes code block

* chore: version update to 0.0.13

* Merge pull request #4 from nhnent/hotfix/normalize_text_node

normalize text nodes

* version up date to 0.0.14

* fix: wrong childNodes length on tracker

#5

* chore: add karma saucelab

* chore: remove dist files

* chore: version update to 0.0.16-pre

* Merge branch 'hotfix/root_children_text_normalize_for_ie'

* chore: karma config update

run TC on safari & edge

* chore: version update to 0.0.17-pre

* feat: print number of backticks by 'data-backticks' attr (#7)

* feat: print number of backticks by 'data-backticks' attr
* refactor: apply code review (refs #7)

* chore: version update to 0.0.17

* fix: wrong inline text conversion ,;:$&+= (fix #9)

* chore: version update to 0.0.18

* chore: karma webdriver launcher change

* chore: update ne, sl, local karma setting

* chore: add npm dev command

* feat: add npm support

* chore: version update to 0.0.19

* chore: ready to publish on npm

* chore: rename toMark to to-mark according to npm naming policy (ref #10)

* feat: rename toMark to to-mark according to npm naming policy

- change copyright
- update webpack as to-mark can not be a namespace(toMark)

* chore: karma version update to 2

* feat: code block with data-backticks property (close: #11, #12)

* chore: version update to 1.1.0

* fix: breaking link, image markdown with [,(,< (close #14) (#15)

* fix: breaking link, image markdown with [,(,< (close #14)

* refactor: apply code review (ref #15)

* chore: update dependencies

* chore: version update to 1.1.1

* fix: newline in table breaks syntax (close #16)(#17)

* chore: version update to 1.1.2

* fix: escape html + md syntax mixed text (close #19) (#20)

* chore: version update to 1.1.3

* fix: underscore(_) is not allowed inside words

* fix: test case about emphasis change from _ to *

* chore: version update to 1.1.4

* fix: check strong, em, strike syntax (close: #23)

* chore: version update to 1.1.5

* fix: list can contain heading (fix #25) (#26)

* fix: list can contain heading (fix #25)

* refactor: reflect code review

* chore: version update to 1.1.6

* fix: backslash as text is removed

* fix: not handle start attribute of OL

* Merge pull request #31 from nhn/fix/escape-all-emphasis-characters

fix: change logic to escape emphasis characters (fix #30)

* chore: update config files for test (close #32) (#33)

* feat: escape backticks (fix #34) (#35)

* fix: convert child element of data-tomark-pass (#39)

* fix: prevent image inside link from being escaped (#40)

* fix: prevent image inside link from being escaped

* refactor: remove unnecessary null comparision

* fix: regexp test state reset (#41)

* chore: update version to v1.1.8

* fix: escape emphasis characters twice (fix #42) (#43)

* chore: update version to v1.1.9

Co-authored-by: Neil Jenkins <neil@nmjenkins.com>
Co-authored-by: dhoko <dhoko@users.noreply.github.com>
Co-authored-by: 이소희 <42666492+sohee-lee7@users.noreply.github.com>
Co-authored-by: 김동우 <dongwoo.kim@nhnent.com>
Co-authored-by: Sungho Kim <shirenbeat@gmail.com>
Co-authored-by: 박정환 <junghwan-park@users.noreply.github.com>
Co-authored-by: 강지웅 <trkang79@gmail.com>
Co-authored-by: KyuWoo Choi <kyuwoo.choi@gmail.com>
js87zz pushed a commit that referenced this issue Jun 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants
@cavo789 @rhukster @kyuwoo-choi @ViggoV @sohee-lee7 and others