Skip to content

Update Markdown configuration to a more secure practice#4377

Merged
ildyria merged 1 commit into
masterfrom
fix-another-xss
May 26, 2026
Merged

Update Markdown configuration to a more secure practice#4377
ildyria merged 1 commit into
masterfrom
fix-another-xss

Conversation

@ildyria
Copy link
Copy Markdown
Member

@ildyria ildyria commented May 26, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • Chores
    • Enhanced security by disabling unsafe links in markdown processing.
    • Improved stability and performance by implementing maximum nesting depth limits in markdown rendering.

Review Change Stack

@ildyria ildyria requested a review from a team as a code owner May 26, 2026 19:34
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 26, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8ddb5414-b46c-43b1-86f2-f80076188542

📥 Commits

Reviewing files that changed from the base of the PR and between 7d79492 and 843c1a5.

📒 Files selected for processing (1)
  • config/markdown.php
📝 Walkthrough

Walkthrough

CommonMark parser safety is hardened by disabling unsafe HTML links and capping maximum block nesting to 10 levels, preventing potential security issues and denial-of-service attacks from deeply nested markdown structures.

Changes

CommonMark Configuration Hardening

Layer / File(s) Summary
Safety constraints on markdown parsing
config/markdown.php		 The CommonMark configuration disables allow_unsafe_links and caps max_nesting_level at 10, preventing malicious or deeply nested markdown content from exploiting parser vulnerabilities.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A rabbit hops through code so neat,
Where markdown rules must stay discreet,
No unsafe links shall creep inside,
And nesting depths are sanctified,
Safe config hops, we're all more sweet! 🔒

🚥 Pre-merge checks | ✅ 1
✅ Passed checks (1 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 26, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.23%. Comparing base (7d79492) to head (843c1a5).

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ildyria ildyria merged commit f0604ea into master May 26, 2026
46 checks passed
@ildyria ildyria deleted the fix-another-xss branch May 26, 2026 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ildyria