Skip to content

[newsfeed] add allowBasicHtmlTags option for basic emphasis#4176

Merged
sdetweil merged 2 commits into
MagicMirrorOrg:developfrom
egeekial:feat/newsfeed-basic-html
Jun 10, 2026
Merged

[newsfeed] add allowBasicHtmlTags option for basic emphasis#4176
sdetweil merged 2 commits into
MagicMirrorOrg:developfrom
egeekial:feat/newsfeed-basic-html

Conversation

@egeekial

@egeekial egeekial commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Please make sure that you have followed these 3 rules before submitting your Pull Request:

  1. Base your pull requests against the develop branch.
    Done.
  2. Include these infos in the description:
  • Does the pull request solve a related issue?
    No
  • If so, can you reference the issue like this Fixes #<issue_number>?
  • What does the pull request accomplish? Use a list if needed.
  • If it includes major visual changes please add screenshots.

Render a strict allowlist of basic formatting tags (b, strong, i, em, u) in news titles and descriptions, while neutralizing all other HTML.

Feeds such as The Atlantic encode emphasis as entities (<em>), which html-to-text decoded to a literal string that the template then auto-escaped, so the raw tag was shown on screen. The new opt-in allowBasicHtmlTags option (default false) sanitizes both fields by escaping everything and restoring only the exact, attribute-free allowlisted tags, so the result is safe to render and arbitrary HTML/script injection is impossible.

Adds unit tests for the sanitizer and an e2e test covering rendering and an injection attempt.

Before screenshot: before
After screenshot: after

  1. Please run node --run lint:prettier before submitting so that
    style issues are fixed.
    Done

Note: Sometimes the development moves very fast. It is highly
recommended that you update your branch of develop before creating a
pull request to send us your changes. This makes everyone's lives
easier (including yours) and helps us out on the development team.

Thanks again and have a nice day!

Render a strict allowlist of basic formatting tags (b, strong, i, em, u)
in news titles and descriptions, while neutralizing all other HTML.

Feeds such as The Atlantic encode emphasis as entities (&lt;em&gt;), which
html-to-text decoded to a literal <em> string that the template then
auto-escaped, so the raw tag was shown on screen. The new opt-in
allowBasicHtmlTags option (default false) sanitizes both fields by
escaping everything and restoring only the exact, attribute-free
allowlisted tags, so the result is safe to render and arbitrary
HTML/script injection is impossible.

Adds unit tests for the sanitizer and an e2e test covering rendering and
an injection attempt.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sdetweil

sdetweil commented Jun 3, 2026

Copy link
Copy Markdown
Collaborator

do you ever envision the user wanting/needing to adjust the list of tags

in newfeedfetcher.js

const ALLOWED_TAGS = ["b", "strong", "i", "em", "u"];

if this is approved, will you also create a matching PR for the documentation repo?

@egeekial

egeekial commented Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

do you ever envision the user wanting/needing to adjust the list of tags

in newfeedfetcher.js

const ALLOWED_TAGS = ["b", "strong", "i", "em", "u"];

My intent was to keep this limited to basic formatting and make the feature something users can simply turn on or off. I could imagine a user wanting finer control, such as allowing italics but not bold or underline, but I suspect most users would not want or need that level of granularity.

If you think that configurability would be beneficial, I would prefer exposing it as a subset of the existing safe list rather than allowing users to add arbitrary tags. Letting users add new tags seems more likely to create rendering issues or introduce an injection risk.

if this is approved, will you also create a matching PR for the documentation repo?

Yes, I can do that.

@KristjanESPERANTO

Copy link
Copy Markdown
Collaborator

I think this is a useful improvement. Thanks! :)

Building on @sdetweil’s point about configurability, I think a single option like allowedBasicHtmlTags instead of a boolean would be nice.

Suggested behavior:

  • default: [] (so current behavior stays unchanged)
  • users can choose only from a hardcoded safe list (like ["b", "strong", "i", "em", "u", "br", "code", "s", "sub", "sup"])
  • any unknown/unsafe tags are ignored (optionally with a warning)

This would keep the security model strict, avoids surprising defaults, no need for multiple options and still gives users flexible control. I think it should be possible to implement this with a reasonable level of complexity.

@rejas

rejas commented Jun 6, 2026

Copy link
Copy Markdown
Collaborator

I think this is a useful improvement. Thanks! :)

Building on @sdetweil’s point about configurability, I think a single option like allowedBasicHtmlTags instead of a boolean would be nice.

Suggested behavior:

* default: `[]` (so current behavior stays unchanged)

* users can choose only from a hardcoded safe list (like `["b", "strong", "i", "em", "u", "br", "code", "s", "sub", "sup"]`)

* any unknown/unsafe tags are ignored (optionally with a warning)

This would keep the security model strict, avoids surprising defaults, no need for multiple options and still gives users flexible control. I think it should be possible to implement this with a reasonable level of complexity.

I totally agree: nice pr and idea, but needs a little tweaking like kristjan proposes.

@sdetweil

sdetweil commented Jun 6, 2026

Copy link
Copy Markdown
Collaborator
  • users can choose only from a hardcoded safe list (like ["b", "strong", "i", "em", "u", "br", "code", "s", "sub", "sup"])

I don't know enough about the tags in the content. Are we sure this is the finite list.. (without us having to take PRs every so often, slowing functional delivery.

One thing I've learned over the years is that I learn new stuff constantly about how users expect the system to behave.

I like the PR, and the selectable list..

…gs allowlist

Per PR feedback, expose a single configurable array option instead of a
boolean. Users opt into individual formatting tags chosen from a hardcoded
safe list (b, strong, i, em, u, br, code, s, sub, sup); the default is []
so current behavior is unchanged. Any requested tag outside the safe list
is ignored with a warning, keeping the strict allowlist-only security model.

sanitizeBasicHtml now takes the validated allowlist as an argument and
builds its selectors/restore-regex from it. br is handled as a void element
(emitted as a single <br>) when allowed, and otherwise keeps collapsing to
a space. The Nunjucks template uses a length check since an empty array is
truthy.

Updates the unit and e2e tests/config to the new option, adding cases for
per-tag allowlisting, the empty-list default, the new safe tags, and br.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@KristjanESPERANTO

Copy link
Copy Markdown
Collaborator

After the last commit I'm fine with the current state 🙂 But since other maintainers were involved in the discussion, I don't want to make the decision about merging alone.

@rejas

rejas commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Im fine with it too. what about you @sdetweil ?

@sdetweil

Copy link
Copy Markdown
Collaborator

it looks ok. We will find out if the list is enough

@sdetweil sdetweil merged commit 6ab8104 into MagicMirrorOrg:develop Jun 10, 2026
12 checks passed
@KristjanESPERANTO

Copy link
Copy Markdown
Collaborator

@egeekial Many thanks for this! 😃

if this is approved, will you also create a matching PR for the documentation repo?

Yes, I can do that.

It would be great if you could create the PR for the docs before the July 1 release.

@KristjanESPERANTO

Copy link
Copy Markdown
Collaborator

@egeekial Feedback would be nice, even if you can't do it 🙂

@egeekial

Copy link
Copy Markdown
Contributor Author

Follow-up: opened a documentation PR for this option over in the docs repo — MagicMirrorOrg/MagicMirror-Documentation#387.

@rejas rejas mentioned this pull request Jul 1, 2026
rejas added a commit that referenced this pull request Jul 1, 2026
## Release Notes
Thanks to: @angeldeejay, @egeekial, @khassel, @KristjanESPERANTO,
@MikeBishop, @rejas
> ⚠️ This release needs nodejs version >=22.21.1 <23 || >=24 (no change
to previous release)

[Compare to previous Release
v2.36.0](v2.36.0...develop)


### [core]
- Prepare Release 2.37.0 (#4193)
- fix(electron): map IPv6 :: wildcard to localhost (#4188)
- refactor(main): modernize DOM update flow with async/await (#4186)
- refactor(main): simplify _updateDom with async/await (#4185)
- fix(security): prevent unauthorized secret expansion in socket
payloads (#4184)
- refactor(main): simplify updateDomWithContent async flow (#4182)
- fix: modules losing data after HTTP 304 responses (#4180)
- chore: add missing core defaults (#4181)
- fix(server): enforce ipWhitelist for Socket.IO too (#4169)
- feat(systeminfo): include Git hash and branch in system information
log (#4167)
- feat(electron): support object-based electronSwitches (#4161)
- systeminformation thread not ending: move error handling from utils to
app (#4160)
- fix systeminformation thread not ending (#4155)
- refactor: use ES module imports in browser core (#4158)
- refactor(core): remove old Object.assign polyfill (#4157)
- refactor: rewrite Module as an ES6 class (#4151)
- refactor: rewrite NodeHelper as an ES6 class (#4147)
- update eletron to v42 (#4144)
- refactor(utils): drop ajv dependency (#4142)
- fix(systeminformation): output right 'used node' version (from parent
process) (#4141)
- fix: skip postinstall git clean when not in a git repository (#4139)
- Remove unnecessary conditionals and fix falsy property check in
imperial conversion (#4135)
- update version in package.json

### [dependencies]
- update dependencies (#4191)
- Bump actions/checkout from 6 to 7 (#4190)
- chore: update dependencies and adjust import path for SunCalc (#4189)
- update dependencies incl. electron and revert
yauzl-electron-install-fix (#4183)
- update dependencies, add electron fix in package.json (#4175)
- chore: update dependencies (#4162)
- Bump actions/dependency-review-action from 4 to 5 (#4152)
- Unify linting: replace Stylelint and markdownlint with ESLint (#4148)
- update dependencies and workflows to node v26 (#4140)

### [modules/alert]
- CodeQL cleanup for alerts #18, #19, #20 (#4153)
- fix: resolve CodeQL alerts #24 and #26 (#4145)
- fix(electron): resolve CodeQL alerts #22 and #25 in electron.js
(#4136)

### [modules/calendar]
- perf(calendar): pre-filter ICS data before parsing (#4168)
- perf(calendar): use async ICS parsing to avoid blocking event loop
(#4143)

### [modules/newsfeed]
- [newsfeed] add allowBasicHtmlTags option for basic emphasis (#4176)

### [modules/updatenotification]
- fix(updatenotification): don't spawn a child process when running
under PM2 (#4166)
- fix(updatenotification): use process.argv[0] as restart binary (#4163)
- fix(updatenotification): preserve start mode on restart (#4156)
- fix(updatenotification): fix ref diff parsing for fetch --dry-run
(#4138)
- refactor(updatenotification): replace pm2 usage with node logic
(#4134)

### [modules/weather]
- feat(weather): add Buienradar provider (#4164)

### [testing]
- remove warning in unit tests (for nodejs >= v25) (#4149)
- polish HTTP 304 docs/test/handling (#4129)

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com>
Co-authored-by: BugHaver <43462320+bughaver@users.noreply.github.com>
Co-authored-by: BugHaver <43462320+lsaadeh@users.noreply.github.com>
Co-authored-by: Karsten Hassel <hassel@gmx.de>
Co-authored-by: Magnus <34011212+MagMar94@users.noreply.github.com>
Co-authored-by: Koen Konst <koenspero@gmail.com>
Co-authored-by: Koen Konst <c.h.konst@avisi.nl>
Co-authored-by: Bugsounet - Cédric <github@bugsounet.fr>
Co-authored-by: dathbe <github@beffa.us>
Co-authored-by: veeck <gitkraken@veeck.de>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Marcel <m-idler@users.noreply.github.com>
Co-authored-by: sam detweiler <sdetweil@gmail.com>
Co-authored-by: Kevin G. <crazylegstoo@gmail.com>
Co-authored-by: Jboucly <33218155+jboucly@users.noreply.github.com>
Co-authored-by: Jboucly <contact@jboucly.fr>
Co-authored-by: Jarno <54169345+jarnoml@users.noreply.github.com>
Co-authored-by: Jordan Welch <JordanHWelch@gmail.com>
Co-authored-by: Blackspirits <blackspirits@gmail.com>
Co-authored-by: Samed Ozdemir <samed@xsor.io>
Co-authored-by: in-voker <58696565+in-voker@users.noreply.github.com>
Co-authored-by: Andrés Vanegas Jiménez <142350+angeldeejay@users.noreply.github.com>
Co-authored-by: cgillinger <christian.gillinger@gmail.com>
Co-authored-by: Sonny B <43247590+sonnyb9@users.noreply.github.com>
Co-authored-by: sonnyb9 <sonnyb9@users.noreply.github.com>
Co-authored-by: Morgan McBee <egeekial@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Mike Bishop <mbishop@evequefou.be>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants