From 247a9e38e211c6366df236aff44cb93da998f00c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20H=C3=A4usler?= <hfelix@protonmail.ch>
Date: Mon, 7 Feb 2022 11:55:45 +0100
Subject: [PATCH] fix: prevent HTML rendering in preview mode (#2986)

Prevent HTML rendering in preview mode if HTML rendering is disabled in
settings. We allow the img tag to support our image resizer.
---
 src/muya/lib/parser/index.js | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/muya/lib/parser/index.js b/src/muya/lib/parser/index.js
index d1e48033..9e01a4f6 100644
--- a/src/muya/lib/parser/index.js
+++ b/src/muya/lib/parser/index.js
@@ -32,12 +32,26 @@ const correctUrl = token => {
   }
 }
 
+const matchHtmlTag = (src, disableHtml) => {
+  const match = inlineRules.html_tag.exec(src)
+  if (!match) {
+    return null
+  }
+
+  // Ignore HTML tag when HTML rendering is disabled and import it as plain text.
+  // NB: We have to allow img tag to support image resizer and options.
+  if (disableHtml && (!match[3] || !/^img$/i.test(match[3]))) {
+    return null
+  }
+  return match
+}
+
 const tokenizerFac = (src, beginRules, inlineRules, pos = 0, top, labels, options) => {
   const originSrc = src
   const tokens = []
   let pending = ''
   let pendingStartPos = pos
-  const { superSubScript, footnote } = options
+  const { disableHtml, superSubScript, footnote } = options
   const pushPending = () => {
     if (pending) {
       tokens.push({
@@ -427,7 +441,7 @@ const tokenizerFac = (src, beginRules, inlineRules, pos = 0, top, labels, option
     }
 
     // html-tag
-    const htmlTo = inlineRules.html_tag.exec(src)
+    const htmlTo = matchHtmlTag(src, disableHtml)
     let attrs
     // handle comment
     if (htmlTo && htmlTo[1] && !htmlTo[3]) {
@@ -448,8 +462,7 @@ const tokenizerFac = (src, beginRules, inlineRules, pos = 0, top, labels, option
       src = src.substring(len)
       pos = pos + len
       continue
-    }
-    if (htmlTo && !(disallowedHtmlTag.test(htmlTo[3])) && (attrs = getAttributes(htmlTo[0]))) {
+    } else if (htmlTo && !(disallowedHtmlTag.test(htmlTo[3])) && (attrs = getAttributes(htmlTo[0]))) {
       const tag = htmlTo[3]
       const html = htmlTo[0]
       const len = htmlTo[0].length