-
-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace "inner_contents" config option with "symbol" in Heading Permalinks #505
Comments
I mostly agree with the proposed solution, but with two caveats:
This is a very fair point. To give some background as to why 1.4 has the implementation it does: GFM's implementation adds this HTML inside the link: I'm not opposed to switching the default value to With this proposed solution, headings would render like this by default:
Does that look good or would this be better?
I'm not sure myself. Thoughts?
There are a number of configurable settings that add HTML classes to the output - they would also suffer from the same issue. Ideally, the rendering should happen within a cache layer that is easy to clear and allows for the Markdown to be re-converted when the cache is missing, but I get this isn't always easy or feasible. #431 would allow an alternate strategy where the parsed
But I'm getting too off-topic here :P Basically just trying to say this "problem" isn't limited to just this one feature and there are some ways around this, including some potential future approaches.
I'm not worried about this one as there are much greater risks, like somebody changing |
Then what's the point of introducing a new option that does the exact same thing as
Which is why this doesn't belong here. It's a part of their specific HTML rendering, not anyone elses. Given that one can easily remove a default text-based symbol and then style the entire link via CSS using a pseusdo-element to whatever icon they want, doesn't inherently mean it isn't "nice". It's just what's provided out the box. If someone decides they need to use their own custom icon set or whatever to make it appear "nice" on their site, then that is the type of customization that should be left to the developer to implement on their own.
Personally, I think if it's before, it should be Regardless, this is purely cosmetic and configurable; which is the entire point. Ultimately, I don't think that warrants changing In order to simplify this specific
True, however as you state, they're classes, not arbitrary HTML markup (which isn't processed or filtered at all). This is the only configuration option that literally allows whatever is passed to be rendered as-in in the final markup. Classes can be more easily ignored (or quickly fixed to a previous BC implementation) if a FE implementation has changed. Adding extra arbitrary HTML elements that can potentially have no styling whatsoever, can physically alter the layout of a page if there isn't appropriate CSS to handle it. I'm not saying that the other configuration doesn't suffer from this issue, but this one exacerbates the problem on a much higher level.
I understand what you're saying. But Nevermind that this is the only setting I've had to actively "parse" on Drupal's side just so it can allow whatever is provided there actually through the filtering system of "allowed HTML". Which, inherently also presents its own issues as this would allow any HTML passed here anywhere in the document; not strictly related to header permalinks. Anytime there is a way to "configure", "supply", or "inject" full HTML somewhere, it runs a much higher risk of being exploited down the road in some fashion. Regardless of its intended purpose or perceived isolation; it can and will be eventually exploited somehow. I don't see how allowing a potentially vulnerable configuration option like this can be justified for the sake of a strictly visual cosmetic enhancement that should be handled on the FE level in the first place. |
I do think your use case is a little different than most, as Drupal is allowing potentially untrusted users to modify settings that could impact security, whereas most applications are going to "hard-code" these settings to their particular needs. For example, if Reddit or StackOverflow were to change their implementations over to PHP and use this lib, they're not going to expose this setting to their users - they're going to choose what works best for their particular application. That's not to say we shouldn't consider your use case (we absolutely should), but if a codebase chooses to expose a sensitive setting like |
With the recent request and decision made in #504, it brought up the point that the
inner_contents
config option essentially allows the same thing.It currently defaults to HeadingPermalinkRenderer::DEFAULT_INNER_CONTENTS which is an Octicon link SVG element.
Problems
Proposed solution
symbol
config option that is limited to a single character and defaults to a paragraph symbol (¶
).inner_contents
config option and remove the default value.inner_contents
if it was explicitly specified in config.The text was updated successfully, but these errors were encountered: