fix(html): enable (dangerous) HTML in Markdown and pass it through

This change enables HTML in Markdown. HTML in Markdown is passed through unchanged and can be potentially dangerous Fixes #154
adobe · Apr 24, 2019 · 93efaf7 · 93efaf7
1 parent bdad96c
commit 93efaf7
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 1 deletion.
diff --git a/src/utils/mdast-to-vdom.js b/src/utils/mdast-to-vdom.js
@@ -198,7 +198,10 @@ class VDOMTransformer {
    * @returns {string} the corresponding HTML
    */
   static toHTML(mdast, handlers) {
-    return hast2html(mdast2hast(mdast, { handlers }));
+    return hast2html(mdast2hast(mdast, {
+      handlers,
+      allowDangerousHTML: true,
+    }), { allowDangerousHTML: true });
   }
 
   /**

diff --git a/test/fixtures/forms.json b/test/fixtures/forms.json
@@ -0,0 +1,31 @@
+{
+  "type": "root",
+  "children": [
+    {
+      "type": "heading",
+      "depth": 1,
+      "children": [
+        {
+          "type": "text",
+          "value": "Hello "
+        },
+        {
+          "type": "html",
+          "value": "<em>"
+        },
+        {
+          "type": "text",
+          "value": "World"
+        },
+        {
+          "type": "html",
+          "value": "</em>"
+        }
+      ]
+    },
+    {
+      "type": "html",
+      "value": "<form action=\"/cgi-bin/contact\">\n  <input type=\"text\"><label>Message</label>\n</form>"
+    }
+  ]
+}
diff --git a/test/fixtures/forms.md b/test/fixtures/forms.md
@@ -0,0 +1,5 @@
+# Hello <em>World</em>
+
+<form action="/cgi-bin/contact">
+  <input type="text"><label>Message</label>
+</form>
diff --git a/test/testHTMLFromMarkdown.js b/test/testHTMLFromMarkdown.js
@@ -212,6 +212,30 @@ describe('Testing Markdown conversion', () => {
     `);
   });
 
+  it('HTML Block elements', async () => {
+    await assertMd(`
+        # Foo
+
+        <form>
+          <input type="text" name="name"><label for="name">Name</label>
+        </form>
+      `, `
+        <h1 id="foo">Foo</h1>
+        <form><input type="text" name="name"><label for="name">Name</label></form>
+    `);
+  });
+
+  it('HTML inline elements', async () => {
+    await assertMd(`
+        # Foo <em>Bar</em>
+
+        Hello World [link](λ)
+      `, `
+        <h1 id="foo">Foo</h1>
+        <p>Hello World <a href="%CE%BB">link</a></p>
+    `);
+  });
+
   it('GFM', async () => {
     await assertMd(`
         Hello World.

diff --git a/test/testParseMarkdown.js b/test/testParseMarkdown.js
@@ -43,6 +43,10 @@ describe('Test Markdown Parsing', () => {
     assertMatch('headings', callback);
   });
 
+  it('Parses HTML in Markdown', () => {
+    assertMatch('forms', callback);
+  });
+
   it('Does not get confused by thematic breaks', () => {
     assertMatch('confusing', callback);
   });