diff options
author | Lauri Ojansivu <x@xet7.org> | 2020-03-06 03:52:12 +0200 |
---|---|---|
committer | Lauri Ojansivu <x@xet7.org> | 2020-03-06 03:52:12 +0200 |
commit | 2b26bbe78a1a2b8b427963a6c44c3853efdb737e (patch) | |
tree | 90a71801d84a4c0a019e072a953299bbc0a2962d /packages/markdown/marked/docs/USING_ADVANCED.md | |
parent | a6d702d1ab9906898dab4cacec735043e5618fb1 (diff) | |
download | wekan-2b26bbe78a1a2b8b427963a6c44c3853efdb737e.tar.gz wekan-2b26bbe78a1a2b8b427963a6c44c3853efdb737e.tar.bz2 wekan-2b26bbe78a1a2b8b427963a6c44c3853efdb737e.zip |
Fix: img tag did not allow width and height.
Removed swipebox from markdown editor img tag and
updated marked markdown to newest version.
Thanks to hradec and xet7 !
Closes #2956
Diffstat (limited to 'packages/markdown/marked/docs/USING_ADVANCED.md')
-rw-r--r-- | packages/markdown/marked/docs/USING_ADVANCED.md | 102 |
1 files changed, 88 insertions, 14 deletions
diff --git a/packages/markdown/marked/docs/USING_ADVANCED.md b/packages/markdown/marked/docs/USING_ADVANCED.md index 6490caa7..81df205b 100644 --- a/packages/markdown/marked/docs/USING_ADVANCED.md +++ b/packages/markdown/marked/docs/USING_ADVANCED.md @@ -14,18 +14,19 @@ marked(markdownString [,options] [,callback]) ```js // Create reference instance -var myMarked = require('marked'); +const marked = require('marked'); // Set options // `highlight` example uses `highlight.js` -myMarked.setOptions({ - renderer: new myMarked.Renderer(), - highlight: function(code) { - return require('highlight.js').highlightAuto(code).value; +marked.setOptions({ + renderer: new marked.Renderer(), + highlight: function(code, language) { + const hljs = require('highlight.js'); + const validLanguage = hljs.getLanguage(language) ? language : 'plaintext'; + return hljs.highlight(validLanguage, code).value; }, pedantic: false, gfm: true, - tables: true, breaks: false, sanitize: false, smartLists: true, @@ -34,14 +35,14 @@ myMarked.setOptions({ }); // Compile -console.log(myMarked('I am using __markdown__.')); +console.log(marked(markdownString)); ``` <h2 id="options">Options</h2> |Member |Type |Default |Since |Notes | |:-----------|:---------|:--------|:--------|:-------------| -|baseUrl |`string` |`null` |0.3.9 |A prefix url for any relative link. | +|baseUrl |`string` |`null` |0.3.9 |A prefix url for any relative link. | |breaks |`boolean` |`false` |v0.2.7 |If true, add `<br>` on a single line break (copies GitHub). Requires `gfm` be `true`.| |gfm |`boolean` |`true` |v0.2.1 |If true, use approved [GitHub Flavored Markdown (GFM) specification](https://github.github.com/gfm/).| |headerIds |`boolean` |`true` |v0.4.0 |If true, include an `id` attribute when emitting headings (h1, h2, h3, etc).| @@ -50,13 +51,12 @@ console.log(myMarked('I am using __markdown__.')); |langPrefix |`string` |`'language-'`|v0.3.0|A string to prefix the className in a `<code>` block. Useful for syntax highlighting.| |mangle |`boolean` |`true` |v0.3.4 |If true, autolinked email address is escaped with HTML character references.| |pedantic |`boolean` |`false` |v0.2.1 |If true, conform to the original `markdown.pl` as much as possible. Don't fix original markdown bugs or behavior. Turns off and overrides `gfm`.| -|renderer |`object` |`new Renderer()`|v0.3.0|An object containing functions to render tokens to HTML. See [extensibility](USING_PRO.md) for more details.| -|sanitize |`boolean` |`false` |v0.2.1 |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.| +|renderer |`object` |`new Renderer()`|v0.3.0|An object containing functions to render tokens to HTML. See [extensibility](/#/USING_PRO.md) for more details.| +|sanitize |`boolean` |`false` |v0.2.1 |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.<br>**Warning**: This feature is deprecated and it should NOT be used as it cannot be considered secure.<br>Instead use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://github.com/bevacqua/insane) on the output HTML! | |sanitizer |`function`|`null` |v0.3.4 |A function to sanitize the HTML passed into `markdownString`.| |silent |`boolean` |`false` |v0.2.7 |If true, the parser does not throw any exception.| |smartLists |`boolean` |`false` |v0.2.8 |If true, use smarter list behavior than those found in `markdown.pl`.| |smartypants |`boolean` |`false` |v0.2.9 |If true, use "smart" typographic punctuation for things like quotes and dashes.| -|tables |`boolean` |`true` |v0.2.7 |If true and `gfm` is true, use [GFM Tables extension](https://github.github.com/gfm/#tables-extension-).| |xhtml |`boolean` |`false` |v0.3.2 |If true, emit self-closing HTML tags for void elements (<br/>, <img/>, etc.) with a "/" as required by XHTML.| <h2 id="highlight">Asynchronous highlighting</h2> @@ -64,7 +64,7 @@ console.log(myMarked('I am using __markdown__.')); Unlike `highlight.js` the `pygmentize.js` library uses asynchronous highlighting. This example demonstrates that marked is agnostic when it comes to the highlighter you use. ```js -myMarked.setOptions({ +marked.setOptions({ highlight: function(code, lang, callback) { require('pygmentize-bundled') ({ lang: lang, format: 'html' }, code, function (err, result) { callback(err, result.toString()); @@ -72,7 +72,81 @@ myMarked.setOptions({ } }); -console.log(myMarked(markdownString)); +console.log(marked(markdownString)); ``` -In both examples, `code` is a `string` representing the section of code to pass to the highlighter. In this example, `lang` is a `string` informing the highlighter what programming lnaguage to use for the `code` and `callback` is the `function` the asynchronous highlighter will call once complete. +In both examples, `code` is a `string` representing the section of code to pass to the highlighter. In this example, `lang` is a `string` informing the highlighter what programming language to use for the `code` and `callback` is the `function` the asynchronous highlighter will call once complete. + +<h2 id="workers">Workers</h2> + +To prevent ReDoS attacks you can run marked on a worker and terminate it when parsing takes longer than usual. + +Marked can be run in a [worker thread](https://nodejs.org/api/worker_threads.html) on a node server, or a [web worker](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API) in a browser. + +### Node Worker Thread + +```js +// markedWorker.js + +const marked = require('marked'); +const { parentPort } = require('worker_threads'); + +parentPort.on('message', (markdownString) => { + parentPort.postMessage(marked(markdownString)); +}); +``` + +```js +// index.js + +const { Worker } = require('worker_threads'); +const markedWorker = new Worker('./markedWorker.js'); + +const markedTimeout = setTimeout(() => { + markedWorker.terminate(); + throw new Error('Marked took too long!'); +}, timeoutLimit); + +markedWorker.on('message', (html) => { + clearTimeout(markedTimeout); + console.log(html); + markedWorker.terminate(); +}); + +markedWorker.postMessage(markdownString); +``` + +### Web Worker + +> **NOTE**: Web Workers send the payload from `postMessage` in an object with the payload in a `.data` property + +```js +// markedWorker.js + +importScripts('path/to/marked.min.js'); + +onmessage = (e) => { + const markdownString = e.data + postMessage(marked(markdownString)); +}; +``` + +```js +// script.js + +const markedWorker = new Worker('./markedWorker.js'); + +const markedTimeout = setTimeout(() => { + markedWorker.terminate(); + throw new Error('Marked took too long!'); +}, timeoutLimit); + +markedWorker.onmessage = (e) => { + clearTimeout(markedTimeout); + const html = e.data; + console.log(html); + markedWorker.terminate(); +}; + +markedWorker.postMessage(markdownString); +``` |