yfm-transform icon indicating copy to clipboard operation
yfm-transform copied to clipboard
verified publisher icon yandex-cloud

Tag SCRIPT breaks whole document

Open xdan opened this issue 1 year ago • 1 comments

Package version

4.47.3

Node version

20.16

Platform

mac

What steps will reproduce the bug?

allowHTML: true
needToSanitizeHtml: false

If you use html in a page + allow inserting script, the page becomes broken. You insert all the content into the script tag at the end of the document

# Example 1
<script>bla()</script>

After build this script will be inside another script in the end of the page

<script type="application/javascript">
window.STATIC_CONTENT = true
                   window.__DATA__ = {"data": ...., html: "...<script>bla()</script>"
</script>

when the browser parser encounters another script tag inside, it thinks that the first one has ended.

What is the expected behavior?

For documentation it is often important to include examples, I would like to be able to include a script tag

What do you see instead?

Broken page

Additional information

I also couldn't find what format the sanitizer options are (sanitizeOptions). The documentation just says Object. I think it should be like this:

allowHTML: true
needToSanitizeHtml: true
sanitizeOptions:
    allowedTags: 
        - script

But this does't work

xdan avatar Mar 01 '25 15:03 xdan

Looks like a problem for CLI, not for transform.

In CLI this was fixed in one of last versions. Can you check it?

3y3 avatar Apr 08 '25 10:04 3y3