Add option to disable SecurityChecker

[tiotdev]

Even with skipSanitization enabled, the SecurityChecker throws exceptions if there are script tags in the post, which is common for some embeds (e.g. Flickr). I remove any script tags during sanitization anyway, throwing an exception makes the content renderer useless for me.

[Jblew]

Hi! The security check (which checks for <script> tags) and the sanitizaion are a separate steps in rendering process.
Basicly the steps are:

1. Preliminary sanitization (removes html comments
2. Markdown rendering
3. transforming known asset types (youtube, twitch) into special "asset tags"
4. Html sanitization (transforms tags, rewrites urls)
5. Security check (blocks left script tags)
6. Transforming "asset tags" into html. This is the point at which insecure elements required by asset players are introduced.

As you can see, the best and most generic solution to this problem would be to allow specifying custom asset tags and their resolutions. This way is also the most secure one, as each type of asset is transformed into the same, strictly defined code. Unfortunately, this requires some work and would take some time. We plan to resume our work on steem-content-renderer next week, so we will consider this feature.

As for now, I will add a simple kill-switch to skip the security check phase. Probably it should be marked as deprecated after we introduce the proper solution which is the support for custom asset types.

[Jblew]

@tiotdev I have added a temporary disable switch for "<script>" tag check.

Jest update the lib and set the allowInsecureScriptTags option to true.

import { DefaultRenderer } from "steem-content-renderer";

const renderer = new DefaultRenderer({
    baseUrl: "https://steemit.com/",
    breaks: true,
    skipSanitization: false,
    /******/
    allowInsecureScriptTags: true,
    /******/
    addNofollowToLinks: true,
    doNotShowImages: false,
    ipfsPrefix: "",
    assetsWidth: 640,
    assetsHeight: 480,
    imageProxyFn: (url: string) => url,
    usertagUrlFn: (account: string) => "/@" + account,
    hashtagUrlFn: (hashtag: string) => "/trending/" + hashtag,
    isLinkSafeFn: (url: string) => true,
});

const safeHtmlStr = renderer.render(postContent);

[tiotdev]

Thanks for the quick fix, works great!

[Jblew]

I would say it is not yet resolved. What I have done was only an ugly, temporary fix. It really violates the OCP design rule and I would love to remove that option in future releases.

Instead, we need a generic custom asset system that could be easily extended.

BUT... we have to really brainstorm this idea, because it breaks the main goal of our system which is the aim to render the content in the same way on every platform. If the renderer is extendable, we still run into the issue of having multiple implementations of the same asset types.

There is a third way - the hardest one: generic but not extendable asset system in which new types of assets are introduced by pull requests to the library.

What do you think? @bgornicki @tiotdev @noisy