Markdown preview and result differ

rokejulianlockhart · May 4, 2023, 8:05pm

Canapin · May 4, 2023, 8:22pm

I can repro it and the preview indeed differs from the post.

The empty line below or above your tags plays a little role here but it’s not important. If you remove them, it will wrap the closest next and previous content, but not the whole content.

no empty lines

Additionally, how come
import QtQuick import QtQuick.Controls 2.15 as QQC2 import QtQuick.Layouts import QtPositioning

and prepension of QQC2 before Action, Button, ApplicationWindow, and Frame doesn’t work, whereas

import QtQuick
import QtQuick.Controls
import QtQuick.Layouts
import QtPositioning
import QtQuick.Controls 2.15 as QQC2

and addition of QQC2.Button (per [qml+pyqt6] Can't get native control appearance - #2 by carl - Help - Discuss) does?
A new line

That said…
I thought the issue was because <strike>^[1] was an inline element. I can repro it with other tags such as  or , but not , . So it’s not because it’s an inline-level element. Discourse allows wrapping blocks with inlines, from what I can see with  or .

<strong>

Additionally, how come

```qml
import QtQuick
import QtQuick.Controls 2.15 as QQC2
import QtQuick.Layouts
import QtPositioning
```

and prepension of `QQC2` before `Action`, `Button`, `ApplicationWindow`, and `Frame` doesn't work, whereas

```qml
import QtQuick
import QtQuick.Controls
import QtQuick.Layouts
import QtPositioning
import QtQuick.Controls 2.15 as QQC2
```

and addition of `QQC2.Button` (per https://discuss.kde.org/t/qml-pyqt6-cant-get-native-control-appearance/1240/2?u=rokejulianlockhart) does?
A new line

</strong>

It seems not to be related to authorized tags, since Discourse accepts all these tags (<strike>, <s>, , , , …).

It seems not to be a markdown-it quirk either, since I can’t reproduce the issue in their demo.

Note that <strike> is deprecated in favor of <s> . A detail that won’t change anything in this issue, but always good to know… I just learned it right now after all ↩︎

Arkshine · May 5, 2023, 1:28am

Took a quick look out of curiosity. It looks like an issue with the Nokogiri library.

From what uses Discourse here:

github.com

discourse/discourse/blob/7ff8e5580f9a900cde4be66377cf4f1dcd253a35/lib/pretty_text.rb#L314


      
            doc = Nokogiri::HTML5.fragment(sanitized)
          
          
  add_nofollow = !options[:omit_nofollow] && SiteSetting.add_rel_nofollow_to_user_content
            add_rel_attributes_to_user_content(doc, add_nofollow)
            strip_hidden_unicode_bidirectional_characters(doc)
            sanitize_hotlinked_media(doc)
          
          
  add_mentions(doc, user_id: opts[:user_id]) if SiteSetting.enable_mentions
          
          
  scrubber = Loofah::Scrubber.new { |node| node.remove if node.name == "script" }
            loofah_fragment = Loofah.fragment(doc.to_html)
            loofah_fragment.scrub!(scrubber).to_html
          end
          
          
def self.strip_hidden_unicode_bidirectional_characters(doc)
            return if !DANGEROUS_BIDI_REGEXP.match?(doc.content)
          
          
  doc
              .css("code,pre")
              .each do |code_tag|
                next if !DANGEROUS_BIDI_REGEXP.match?(code_tag.content)

Loofah.fragment uses Nokogiri’s HTML4 parser.

This could be fixed using Loofah.html5_fragment as long as Nokogiri >= 1.14.0 and Loofah >= 2.21.0. Discourse already uses Nokogiri::HTML5.fragment; that would make sense.

Note: Loofah 2.21.0 is not yet released; currently in RC1.

sam · May 5, 2023, 3:45am

Fantastic debugging! Thanks

sam · May 8, 2023, 3:30am

going to bookmark this for 30 days, hopefully then the new loofah is out and we can simply upgrade it.

sam · May 12, 2023, 2:36am

I just tried the HTML5 version of loofah and we are hitting a security issue it seems:


  1) PrettyText provides safety for img bbcode
     Failure/Error: expect(cooked).to eq(html)
     
       expected: "<p><img src=\"http://aaa.com&lt;script&gt;alert(1);&lt;/script&gt;\" alt=\"\" role=\"presentation\"></p>"
            got: "<p><img src=\"http://aaa.com<script>alert(1);</script>\" alt=\"\" role=\"presentation\"></p>"
     
       (compared using ==)
     # ./spec/lib/pretty_text_spec.rb:2150:in `block (2 levels) in <main>'
     # ./spec/rails_helper.rb:358:in `block (2 levels) in <top (required)>'
     # /home/sam/.gem/ruby/3.2.1/gems/webmock-3.18.1/lib/webmock/rspec.rb:37:in `block (2 levels) in <top (required)>'

This one feels very risky to me… will raise…

nat · June 20, 2023, 12:43pm

Many thanks for your debugging! We’ve fixed this with:

github.com/discourse/discourse

DEV: use HTML5 version of loofah

discourse:main ← discourse:loofah

opened 02:35AM - 12 May 23 UTC

SamSaffron

+123 -115

https://meta.discourse.org/t/markdown-preview-and-result-differ/263878 The re…sult of this markdown had different results in the composer preview and the post. This is solved by updating Loofah to the latest version and using html5 fragments like our user had reported. While the change was only needed in [cooked_post_processor.rb](https://github.com/discourse/discourse/pull/21500/files#diff-67de7f44aa04f02ceba9770e5d83b4465add3bd4297be871f94a2233cd4831a7), I've updated the other areas of our codebase to also use the html5 fragment. > <strike> > > Additionally, how come > > ```qml > import QtQuick > import QtQuick.Controls 2.15 as QQC2 > import QtQuick.Layouts > import QtPositioning > ``` > > and prepension of `QQC2` before `Action`, `Button`, `ApplicationWindow`, and `Frame` doesn't work, whereas > > ```qml > import QtQuick > import QtQuick.Controls > import QtQuick.Layouts > import QtPositioning > import QtQuick.Controls 2.15 as QQC2 > ``` > > and addition of `QQC2.Button` (per https://discuss.kde.org/t/qml-pyqt6-cant-get-native-control-appearance/1240/2?u=rokejulianlockhart) does? > > </strike> <img width="643" alt="Screenshot 2023-05-11 at 3 15 36 PM" src="https://github.com/discourse/discourse/assets/1555215/e7087502-b0a1-4219-be0b-ad3904cc6a6f"> Related: - ~~https://github.com/discourse/discourse/pull/21500~~ - https://github.com/discourse/discourse-footnote/pull/62 - https://github.com/discourse/discourse-bbcode/pull/50

as seen here:

Additionally, how come

import QtQuick import QtQuick.Controls 2.15 as QQC2 import QtQuick.Layouts import QtPositioning

and prepension of QQC2 before Action, Button, ApplicationWindow, and Frame doesn’t work, whereas

import QtQuick import QtQuick.Controls import QtQuick.Layouts import QtPositioning import QtQuick.Controls 2.15 as QQC2

and addition of QQC2.Button (per [qml+pyqt6] Can't get native control appearance - #2 by carl - Help - KDE Discuss) does?

nat · June 22, 2023, 12:43pm

This topic was automatically closed after 2 days. New replies are no longer allowed.

Topic		Replies	Views
HTML headings with line breaks -> no heading and inconsistency between preview and rendered post Bug	9	1187	June 22, 2023
Help us test the rewritten Composer Feature feedback	145	22675	October 21, 2016
Missing images at Meta.discourse.org Site feedback	35	1417	November 20, 2024
Customize new topic button text Theme component official , topic-button-text	21	3008	May 8, 2024
Discourse Central Theme — Meta Pre-Release Out Now! Theme feedback , experimental	139	15506	November 18, 2024

Related topics