diff --git a/CHANGELOG.md b/CHANGELOG.md index a46e0b70..8dc1f94b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - Upgrade Marpit to [v1.6.4](https://github.com/marp-team/marpit/releases/v1.6.4) ([#210](https://github.com/marp-team/marp-core/pull/210)) - Upgrade dependent packages to the latest version ([#210](https://github.com/marp-team/marp-core/pull/210)) +- Rename `master` branch into `main` ([#211](https://github.com/marp-team/marp-core/pull/211)) ## v1.4.0 - 2020-12-05 @@ -316,12 +317,12 @@ ### Added - Allow using twemoji via PNG by added `emoji.twemoji.ext` option ([#67](https://github.com/marp-team/marp-core/pull/67)) -- Support custom sanitizer for whitelisted HTML attributes ([#68](https://github.com/marp-team/marp-core/pull/68)) +- Support custom sanitizer for HTML attributes within allowlist ([#68](https://github.com/marp-team/marp-core/pull/68)) - Add usage of multiple classes in Gaia theme ([#69](https://github.com/marp-team/marp-core/pull/69)) ### Fixed -- Fix over-sanitized attributes with HTML whitelist ([#68](https://github.com/marp-team/marp-core/pull/68)) +- Fix over-sanitized attributes with HTML allowlist ([#68](https://github.com/marp-team/marp-core/pull/68)) ### Changed @@ -510,7 +511,7 @@ ### Added -- Support HTML whitelisting ([#26](https://github.com/marp-team/marp-core/pull/26)) +- Support HTML allowlisting ([#26](https://github.com/marp-team/marp-core/pull/26)) ### Fixed diff --git a/README.md b/README.md index d6ee2429..9453fedd 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # @marp-team/marp-core -[![CircleCI](https://img.shields.io/circleci/project/github/marp-team/marp-core/master.svg?style=flat-square&logo=circleci)](https://circleci.com/gh/marp-team/marp-core/) -[![Codecov](https://img.shields.io/codecov/c/github/marp-team/marp-core/master.svg?style=flat-square&logo=codecov)](https://codecov.io/gh/marp-team/marp-core) +[![CircleCI](https://img.shields.io/circleci/project/github/marp-team/marp-core/main.svg?style=flat-square&logo=circleci)](https://circleci.com/gh/marp-team/marp-core/) +[![Codecov](https://img.shields.io/codecov/c/github/marp-team/marp-core/main.svg?style=flat-square&logo=codecov)](https://codecov.io/gh/marp-team/marp-core) [![npm](https://img.shields.io/npm/v/@marp-team/marp-core.svg?style=flat-square&logo=npm)](https://www.npmjs.com/package/@marp-team/marp-core) [![LICENSE](https://img.shields.io/github/license/marp-team/marp-core.svg?style=flat-square)](./LICENSE) @@ -33,7 +33,7 @@ Marp Markdown is based on [Marpit](https://github.com/marp-team/marpit) and [Com - Enable [inline SVG mode](https://github.com/marp-team/marpit#inline-svg-slide-experimental) and loose YAML parsing by default. * **CommonMark** - - For security reason, HTML tag only allows whitelisted elements by default. + - For security reason, HTML tag only allows `
` by default. - Support [table](https://github.github.com/gfm/#tables-extension-) and [strikethrough](https://github.github.com/gfm/#strikethrough-extension-) syntax, based on [GitHub Flavored Markdown](https://github.github.com/gfm/). - Line breaks in paragraph will convert to `
` tag. - Auto convert URL like text into hyperlink. @@ -206,12 +206,12 @@ const marp = new Marp({ ### `html`: _`boolean`_ | _`object`_ -Setting whether to render raw HTML in Markdown. It's an alias to `markdown.html` ([markdown-it option](https://markdown-it.github.io/markdown-it/#MarkdownIt.new)) but has additional feature about HTML whitelist. +Setting whether to render raw HTML in Markdown. It's an alias to `markdown.html` ([markdown-it option](https://markdown-it.github.io/markdown-it/#MarkdownIt.new)) but has additional feature about HTML allowlist. - `true`: The all HTML will be allowed. - `false`: All HTML except supported in Marpit Markdown will be disallowed. -By passing `object`, you can set the whitelist to specify allowed tags and attributes. +By passing `object`, you can set the allowlist to specify allowed tags and attributes. ```javascript // Specify tag name as key, and attributes to allow as string array. diff --git a/src/html/html.ts b/src/html/html.ts index f074062c..5c083440 100644 --- a/src/html/html.ts +++ b/src/html/html.ts @@ -22,7 +22,7 @@ export function markdown(md): void { ...args ) => { const ret = original(...args) - const whiteList = {} + const allowList = {} const html: MarpOptions['html'] = md.options.html if (typeof html === 'object') { @@ -30,9 +30,9 @@ export function markdown(md): void { const attrs = html[tag] if (Array.isArray(attrs)) { - whiteList[tag] = attrs + allowList[tag] = attrs } else if (typeof attrs === 'object') { - whiteList[tag] = Object.keys(attrs).filter( + allowList[tag] = Object.keys(attrs).filter( (attr) => attrs[attr] !== false ) } @@ -40,7 +40,7 @@ export function markdown(md): void { } const filter = new FilterXSS({ - whiteList, + whiteList: allowList, onIgnoreTag: (_, rawHtml) => (html === true ? rawHtml : undefined), safeAttrValue: (tag, attr, value) => { let ret = friendlyAttrValue(value) diff --git a/test/marp.ts b/test/marp.ts index 63a1424b..2465fc69 100644 --- a/test/marp.ts +++ b/test/marp.ts @@ -233,11 +233,11 @@ describe('Marp', () => { }) }) - describe('with whitelist', () => { + describe('with allowlist', () => { const md = '

\ntest\n

\n\n

test

' const html = { img: ['src'], p: ['class'] } - it('allows whitelisted tags and attributes', () => { + it('allows tags and attributes in allowlist', () => { const $ = cheerio.load(marp({ html }).render(md).html) expect($('p')).toHaveLength(2) @@ -264,7 +264,7 @@ describe('Marp', () => { }) describe('when attributes are defined as object', () => { - it('allows whitelisted attributes without defined false', () => { + it('allows attributes in allowlist without defined false', () => { const instance = marp({ html: { p: { id: true, class: false } } }) const { html } = instance.render('

')