Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restore old anchor generation behaviour from before v1.15.0 #578

Merged
merged 1 commit into from
Jan 19, 2019
Merged

Restore old anchor generation behaviour from before v1.15.0 #578

merged 1 commit into from
Jan 19, 2019

Conversation

Xenonym
Copy link
Contributor

@Xenonym Xenonym commented Jan 14, 2019

What is the purpose of this pull request? (put "X" next to an item, remove the rest)

• [X] Bug fix

Resolves #576.

What is the rationale for this request?
When we upgraded markdown-it-anchor to 5.0.0 in #469, we also changed the anchor tag generation behaviour: instead of ignoring special characters, the new version now URL-encodes them instead. For example, "Guideline: Avoid Unsafe Shortcuts" becomes guideline%3A-avoid-unsafe-shortcuts. This breaks compatibility with headings generated by GFMD, which expects guideline-avoid-unsafe-shortcuts.

What changes did you make? (Give an overview)
I added @sindresorhus/slugify which provides slugify behaviour similar to what we had previously, and configured markdown-it-anchor to use this new library.

Provide some example code that this change will affect:

## Guideline: Avoid Unsafe Shortcuts

Is there anything you'd like reviewers to focus on?
This change needs to be coupled with a change to MarkBind/vue-strap to revert similar changes made in MarkBind/vue-strap#92.

Testing instructions:

  1. Create a markdown document with headers that have special characters eg. :. The anchor link should not contain special characters.

Copy link
Member

@yamgent yamgent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original anchor issue arose because [email protected] was too liberal in using regex on unsafe user input. Hence it got reported as a vulnerability.

For that reason, I don't think we should re-adopt and re-adapt their code, and definitely not try maintaining their code lest we get hit with the same problem. :P

Let's explore some npm packages first like slugify. They used to be reported with similar vulnerabilities but they seem to have fixed it with their later versions. So let's import their packages whenever possible, instead of implementing and maintaining our own slugify. This will make it easier to fix the issue on vue-strap too.

@Xenonym
Copy link
Contributor Author

Xenonym commented Jan 15, 2019

@yamgent if you are referring to jprichardson/string.js#212, note that the regex in question are not the ones used in the logic of slugify. I am not sure if the problem of unsafe user input applies in MarkBind's context: slugify is used to generate anchors, and thus the inputs must necessarily come from MarkBind source files written by the author, which probably will not contain malicious code unless the author seeks to crash his own computer.

Nevertheless, I do agree that if there is a external package available that is maintained with this functionality, we should probably go with that instead. Will look into simov/slugify. Thanks for the heads up!

Update: simov/slugify replaces < and > with less and greater eg. Tweaking the page <head> becomes tweaking-the-page-lessheadgreater. Probably not what we want.

@Xenonym
Copy link
Contributor Author

Xenonym commented Jan 15, 2019

@sindresorhus/slugify seems to work.

Copy link
Member

@yamgent yamgent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent, thanks. 👍

@yamgent yamgent added this to the v1.16.2 milestone Jan 17, 2019
@yamgent yamgent merged commit b34ca6c into MarkBind:master Jan 19, 2019
yamgent added a commit to yamgent/vue-strap that referenced this pull request Jan 21, 2019
The main MarkBind project has switched to using the
@sindresorhus/slugify library [1] to generate the anchor IDs for
headings. The switch is done in one of the recently merged PR [2].

Our panels still uses the old anchor ID generation algorithm for
headings in its header.

As a step towards allowing panels to use the same anchor ID generation
algorithm, let's install @sindresorhus/slugify.

[1] - https://github.com/sindresorhus/slugify
[2] - MarkBind/markbind#578
yamgent added a commit to yamgent/vue-strap that referenced this pull request Jan 21, 2019
The main MarkBind project has switched to using the
@sindresorhus/slugify library[1] to generate the anchor IDs for
headings. The switch is done in one of the recently merged PR in the
main MarkBind project[2].

Our panels still uses the old anchor ID generation algorithm for
headings in its header.

Let's switch the anchor ID generation algorithm of panels to use
@sindresorhus/slugify.

[1] - https://github.com/sindresorhus/slugify
[2] - MarkBind/markbind#578
@Xenonym Xenonym deleted the restore-slugify-behaviour branch January 21, 2019 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Intra-page links are not compatible with GFMD
2 participants