Release v0.7.0

[UziTech]

Release Notes

---

Security

• Sanitize paragraph and text tokens Sanitize hardening #1504
• Fix ReDOS for links with backticks (issue Extremely slow processing on malformed markdown (0.6.2) #1493) Link label security #1515

Breaking Changes

• Deprecate sanitize and sanitizer options Sanitize hardening #1504
• Move fences to CommonMark use correct options in specs #1511
• Move tables to GFM use correct options in specs #1511
• Remove tables option use correct options in specs #1511
• Single backtick in link text needs to be escaped Link label security #1515

Fixes

• Fix parentheses around a link Link parenthesis #1509
• Fix headings (issue md title parse error #1510) use correct options in specs #1511

Tests

• Run tests with correct options use correct options in specs #1511

---

Publisher

• $ npm version has been run.
• Release notes in draft GitHub release are up to date
• Release notes include which flavors and versions of Markdown are supported by this release
• Committer checklist is complete.
• Merge PR.
• Publish GitHub release using master with correct version number.
• $ npm publish has been run.
• Create draft GitHub release to prepare next release.

Note: If merges to master occur after submitting this PR and before running $ npm pubish you should be able to

1. pull from upstream/master (git pull upstream master) into the branch holding this version,
2. run $ npm run build to regenerate the min file, and
3. commit and push the updated changes.

Committer

In most cases, this should be someone different than the publisher.

• Version in package.json has been updated (see PUBLISHING.md).
• The marked.min.js has been updated; or,
• release does not change library.
• CI is green (no forced merge required).

[styfle]

[davisjam]

Lots of good stuff in here!

[azu]

Deprecate sanitize and sanitizer options #1504

Is sanitizer option deprecated?
#1504 affect only sanitize option?
Its my error. sanitizer option work with sanitize option.

Also, I think that release note or documentation should includes migration guide from sanitize to sanitize library. The release note and documentation have an lack of concrete example code.

[UziTech]

@azu the documentation for the sanitize option lists a few other libraries that do a much better job sanitizing html.

[azu]

@UziTech Yes, I know.

I've tried to use [email protected] and DOMPurify, but this combination has a bit complex context.
Because, DOMPurify does not work on Node.js without jsdom.

• marked is universal/isomophic library
• DOMPurify is not universal/isomophic library
  • It require jsdom for Node.js

The browser enviroment does not need jsdom, but Node.js env does need jsdom.
It require a bit complex code.

if(THIS_ENV_IS_NODE){
  return marked + dompurify + jsdom
} else{
  return marked + dompurify
}

So, I've created a wrapper library for optimizing Browser and Node.js.

• https://github.com/azu/safe-marked

safe-marked is a wrapper library of marked, DOMPurify, and jsdom.
Also, safe-marked define 'browser' field in package.json for optimizing browser bundle.
The browser entry point does not include jsdom.

This wrapper aim to reduce pacakge size for browser.

  package           size      minified  gzipped
  safe-marked       90.15 KB  39.36 KB  13.82 KB (browser bundle size)
  [email protected]      45.05 KB  23.87 KB  7.87 KB
  [email protected]  45.21 KB  15.3 KB   5.99 KB
  
  # Other Markdown library  
  [email protected]  325.52 KB  92.69 KB  32.77 KB
  [email protected]     157.28 KB  71.06 KB  23.55 KB

Conclusion

The documentation just say following

Marked does not sanitize the output HTML. Please use a sanitize library, like DOMPurify (recommended), sanitize-html or insane on the output HTML! 🚨

Afte using marked + DOMPurify, I feed that it is hard to use marked safety.
I think that we need to improve documentation about the usage of sanitizing.
Or just come back to support sanitize option...

However, The documentation is not fundamental solution.

Thanks.

---

📝 Note: The size of recommentation libraries :

sanitize-html is too large. insane looks like that is not maintained and have some problem.
So, I've selected DOMPurify. DOMPurify is maintained by security company.

  package               size      minified   gzipped
  [email protected]      45.21 KB  15.3 KB    5.99 KB
  [email protected]  1.02 MB   210.06 KB  64.81 KB
  [email protected]          18.61 KB  4.64 KB    1.9 KB

Also, I love package size of marked ❤️

[UziTech]

I think that we need to improve documentation about the usage of sanitizing.

We are always taking pull requests 😁