Attempt to improve markdown rendering

cycomachead · cycomachead · commit ce9fbf8cfcff · 2025-09-02T19:02:43.000+02:00
* allow more unsafe HTML on admin-controlled files
* be aggressive with filtering links and text in user bios
diff --git a/app/assets/stylesheets/application.css b/app/assets/stylesheets/application.css
@@ -16,15 +16,12 @@
  *= require osem-dashboard
  *= require osem-splash
  *= require osem-fonts
- *= require bootstrap-markdown
- *= require bootstrap-datetimepicker
  *= require leaflet
  *= require bootstrap3-switch
  *= require osem-payments
  *= require osem-navbar
  *= require selectize
  *= require selectize.bootstrap3
- *= require bootstrap-select
  *= require conferences
 
  *= require fullcalendar-scheduler/main.css
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -7,7 +7,18 @@ class UsersController < ApplicationController
 
   # GET /users/1
   def show
-    @events = @user.events.where(state: :confirmed)
+    all_user_events = @user.events
+    @events = all_user_events.where(state: :confirmed)
+
+    # Minimize info shown unless a user has submitted at least one proposal
+    # To be safe, we don't delete data, just hide it in a hacky way.
+    # Unset the email so a picture from gravatar won't be shown
+    unless all_user_events.any?
+      @user.picture = nil
+      @user.email = nil
+      @user.name = @user.name.length > 15 ? @user.name[0, 15] + '…' : @user.name
+      @user.biography = ''
+    end
   end
 
   # GET /users/1/edit
diff --git a/app/helpers/format_helper.rb b/app/helpers/format_helper.rb
@@ -158,26 +158,50 @@ def selected_scheduled?(schedule)
     schedule == @selected_schedule ? 'Yes' : 'No'
   end
 
+  # Used for user bios and high-spam places
+  def restricted_markdown(text, truncate: 2000)
+    return '' if text.nil?
+
+    markdown_options = {
+      autolink:                     false,
+      space_after_headers:          true,
+      no_intra_emphasis:            false, # SNAPCON
+      fenced_code_blocks:           true,
+      disable_indented_code_blocks: true,
+    }
+    render_options = {
+      filter_html:     true,
+      no_images:       true,
+      no_links:        true,
+      escape_html:     false,
+      safe_links_only: true
+    }
+    markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML.new(render_options), markdown_options)
+    truncate(sanitize(markdown.render(text), remove_elements: %w[a]), length: truncate)
+  end
+
   def markdown(text, escape_html = true)
     return '' if text.nil?
 
     markdown_options = {
       autolink:                     true,
       space_after_headers:          true,
-      # no_intra_emphasis:            true, # SNAPCON
+      no_intra_emphasis:            false, # SNAPCON
       fenced_code_blocks:           true,
       disable_indented_code_blocks: true,
+      lax_spacing:                  true, # SNAPCON
       tables:                       true, # SNAPCON
       strikethrough:                true, # SNAPCON
       footnotes:                    true, # SNAPCON
-      superscript:                  true # SNAPCON
+      superscript:                  true  # SNAPCON
     }
     render_options = {
+      filter_html:     escape_html,
       escape_html:     escape_html,
-      safe_links_only: true
+      safe_links_only: false,
     }
     markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML.new(render_options), markdown_options)
-    rendered = sanitize(markdown.render(text))
+    rendered = markdown.render(text)
     escape_html ? sanitize(rendered, scrubber: Loofah::Scrubbers::NoFollow.new) : rendered.html_safe
   end
 
diff --git a/app/views/admin/events/_proposal.html.haml b/app/views/admin/events/_proposal.html.haml
@@ -117,7 +117,7 @@
               - unless speaker.biography.blank?
                 %b
                   = speaker.name
-                = markdown(speaker.biography)
+                = restricted_markdown(speaker.biography)
         %tr
           %td
             %b Submitted on
diff --git a/app/views/admin/users/show.html.haml b/app/views/admin/users/show.html.haml
@@ -27,7 +27,7 @@
                     = show_roles(@user.get_roles)
                 - elsif attr == 'biography'
                   %td
-                    = markdown(@user.biography)
+                    = restricted_markdown(@user.biography)
                 - elsif attr == 'profile_picture'
                   %td
                     = image_tag @user.profile_picture(size: '100'), alt: ''
diff --git a/app/views/users/show.html.haml b/app/views/users/show.html.haml
@@ -8,7 +8,7 @@
           %small
             = @user.nickname
       %p
-        = markdown(@user.biography)
+        = restricted_markdown(@user.biography)
   .row
     .col-md-12
       - if @user.presented_events.confirmed.any?
