1
0
mirror of https://github.com/laurent22/joplin.git synced 2024-12-24 10:27:10 +02:00

Doc: Describe how to escape Markdown in coding style

This commit is contained in:
Laurent Cozic 2023-05-17 09:31:05 +01:00
parent a46648f1ee
commit df9bfc7635

View File

@ -196,6 +196,10 @@ As much as possible, avoid default parameters in **function definitions** and op
If you search for ["XSS" in the Joplin git log](https://github.com/laurent22/joplin/search?q=xss&type=commits) you'll find several security vulnerabilities that have been fixed over the year, and that happened in various places that are hard to predict. So we need to be careful with this and make sure we correctly escape user content.
We should do so even if we think we control the input or that it will always have a certain format. That may change in the future, or that could be exploited via another bug.
Finally, escaping data is often required to prevent markup code from breaking. For example quotes or angled brackets have to be escaped in HTML or else the markup is likely to break.
How you escape the data depends on where you are going to insert it so there's no single function that's going to cover all cases.
### To insert into a JS script
@ -234,6 +238,18 @@ encodeURI('https://domain.com/path to a document.pdf');
// 'https://domain.com/path%20to%20a%20document.pdf'
```
### To insert into Markdown code
Use the provided escape functions in `lib/markdownUtils`:
- `escapeTableCell()` for tables
- `escapeInlineCode()` for inline code
- `escapeTitleText()`and `escapeLinkUrl()` for links:
```ts
const markdown = `[${markdownUtils.escapeTitleText(linkTitle)}](${markdownUtils.escapeLinkUrl(linkUrl)})`;
```
### Escape as late as possible
Ideally the application should only deal with raw, unencoded data, so it means data should be decoded and encoded at the application boundaries. Doing so means we avoid accidentally double-escaping data, or having to encode/decode within the app, which is error prone.