Markdown support for app descriptions

[nickvergessen]

@janis91 this should fix the markdown showing up as plaintext...

@icewind1991 your files_markdown app uses the same lib, you might be able to drop it, in case it causes problems otherwise.
@LukasReschke @MorrisJobke

Todo

• Decide on allowed markdown
• Fix displaying of lists

[LukasReschke]

I'll take a look later with regards to XSS.

[nickvergessen]

Well the question is, which markup do we want to allow?
I guess most devs would already be happy with:

Allowed

• string
• italic
• lists: *, 1.

Unsafe

• Images are not what the page is designed for and are not loaded due to CSP by default, unless shipped (but then you still have a problem with app paths which you don't know)
• Links are mostlikely the highest risk. Of course they got their use cases, and dev's can already provide links to docs which can have malicious content

[BernhardPosselt]

Last time I've tried marked it was vulnerable to XSS. I've ended up with https://github.com/markdown-it/markdown-it#markdown-it which is "Safe by default"

[BernhardPosselt]

I'd render links because most of the time you want to link to documentation or FAQ to get people started.

As for images: I'd probably relax the CSP if feasable but require them to be served over HTTPS

[nickvergessen]

Closing, feel free to reopen and pick up, once decisions have been made

[nickvergessen]

Rebased and pushed a commit which:

• Disables rendering of quotes
• Disables images
• Disables links unless they start with http: or https:

I'd like to do this and also add it to 11, because the app store says markdown is supported and even shows it, but in the app management everything looks broken.

Please review @LukasReschke @BernhardPosselt @MorrisJobke

@BernhardPosselt please also adjust the app store to not render quotes, images and non-http links, so the feeling is the same everywhere

[BernhardPosselt]

Any reason for not rendering links, quotes and images? These things are probably the most important markdown features. What MD lib are you using?

[nickvergessen]

Any reason for not rendering links, quotes and images?

We render links when they are http or https, but javascript, ftp, whatever are just ignored.
Quotes cause layout issues on the small page and images are violating the CSP

What MD lib are you using?

https://github.com/nextcloud/server/pull/1594/files#diff-0a08a7565aba4405282251491979bb6b

[LukasReschke]

Added DOMPurify at b25a3b9 – ok for me now.

[LukasReschke]

@nickvergessen Whitelist here what you want to have whitelisted 😉

[nickvergessen]

@jancborchardt can you fix lists please? they have too much space and the order items seem to be stripped away. You can tests it by adding the following as an app description:

**Bold** and *Italic*

follow the [link](https://localhost)

List:
* one
* two
    + a
    + b
    + c
* thre

List2:
1. one
2. two
    1. a
    2. a
    3. a
3. thrww

[MorrisJobke]

@jancborchardt can you fix lists please? they have too much space and the order items seem to be stripped away. You can tests it by adding the following as an app description:

Let me try to fix this.

[MorrisJobke]

I fixed it and it now looks like this:

[MorrisJobke]

I just added some top and bottom margin to the paragraphs:

Before:

After:

[nickvergessen]

Thanks, so ready to merge!

[ChristophWurst]

tested and works

[ChristophWurst]

Thanks, so ready to merge!

Go go go go! 🏎

[nickvergessen]

I'd still like to backport this to 11, so the new fancy appstore descriptions don't appear broken in Nextcloud.

Opinions @LukasReschke @karlitschek

[karlitschek]

nice. please backport. low risk I assume