Markdown preview and result differ

Per Create Bug Reports for Discourse on Meta

try.discourse.org

discuss.kde.org

1 Like

Hi @rokejulianlockhart

I can repro it and the preview indeed differs from the post. :slight_smile:

The empty line below or above your tags plays a little role here but it’s not important. If you remove them, it will wrap the closest next and previous content, but not the whole content.

no empty lines Additionally, how come
import QtQuick
import QtQuick.Controls 2.15 as QQC2
import QtQuick.Layouts
import QtPositioning

and prepension of QQC2 before Action, Button, ApplicationWindow, and Frame doesn’t work, whereas

import QtQuick
import QtQuick.Controls
import QtQuick.Layouts
import QtPositioning
import QtQuick.Controls 2.15 as QQC2

and addition of QQC2.Button (per [qml+pyqt6] Can't get native control appearance - #2 by carl - Help - Discuss) does?
A new line


That said…
I thought the issue was because <strike>[1] was an inline element. I can repro it with other tags such as <b> or <i>, but not <strong>, <em>. So it’s not because it’s an inline-level element. Discourse allows wrapping blocks with inlines, from what I can see with <strong> or <em>.

<strong>
<strong>

Additionally, how come

```qml
import QtQuick
import QtQuick.Controls 2.15 as QQC2
import QtQuick.Layouts
import QtPositioning
```

and prepension of `QQC2` before `Action`, `Button`, `ApplicationWindow`, and `Frame` doesn't work, whereas

```qml
import QtQuick
import QtQuick.Controls
import QtQuick.Layouts
import QtPositioning
import QtQuick.Controls 2.15 as QQC2
```

and addition of `QQC2.Button` (per https://discuss.kde.org/t/qml-pyqt6-cant-get-native-control-appearance/1240/2?u=rokejulianlockhart) does?
A new line

</strong>

It seems not to be related to authorized tags, since Discourse accepts all these tags (<strike>, <s>, <b>, <strong>, <i>, <em>…).

It seems not to be a markdown-it quirk either, since I can’t reproduce the issue in their demo.


  1. Note that <strike> is deprecated in favor of <s> . A detail that won’t change anything in this issue, but always good to know… I just learned it right now after all :smile: ↩︎

5 Likes

Took a quick look out of curiosity. It looks like an issue with the Nokogiri library. :thinking:

From what uses Discourse here:

Loofah.fragment uses Nokogiri’s HTML4 parser.

This could be fixed using Loofah.html5_fragment as long as Nokogiri >= 1.14.0 and Loofah >= 2.21.0. Discourse already uses Nokogiri::HTML5.fragment; that would make sense.

Note: Loofah 2.21.0 is not yet released; currently in RC1.

10 Likes

Fantastic debugging! Thanks
:pray:

6 Likes

going to bookmark this for 30 days, hopefully then the new loofah is out and we can simply upgrade it.

2 Likes

I just tried the HTML5 version of loofah and we are hitting a security issue it seems:


  1) PrettyText provides safety for img bbcode
     Failure/Error: expect(cooked).to eq(html)
     
       expected: "<p><img src=\"http://aaa.com&lt;script&gt;alert(1);&lt;/script&gt;\" alt=\"\" role=\"presentation\"></p>"
            got: "<p><img src=\"http://aaa.com<script>alert(1);</script>\" alt=\"\" role=\"presentation\"></p>"
     
       (compared using ==)
     # ./spec/lib/pretty_text_spec.rb:2150:in `block (2 levels) in <main>'
     # ./spec/rails_helper.rb:358:in `block (2 levels) in <top (required)>'
     # /home/sam/.gem/ruby/3.2.1/gems/webmock-3.18.1/lib/webmock/rspec.rb:37:in `block (2 levels) in <top (required)>'

This one feels very risky to me… will raise…

3 Likes