diff options
| author | Paul Buetow <paul@buetow.org> | 2026-04-10 09:48:44 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-04-10 09:48:44 +0300 |
| commit | 4c10490e0488b03de70a6e0d7d7432347dcce00a (patch) | |
| tree | 33fc822cba99c29b926bfc046b5c2c72608587a6 | |
| parent | 4ff456a6111d8553893308a84e9f0e992d4809bf (diff) | |
processor: document trusted inbox trust boundary for markdown HTML
Markdown uses goldmark html.WithUnsafe for intentional raw HTML in
personal-inbox posts. Package and processMd comments state the trust
model and warn against untrusted input on the same path.
Made-with: Cursor
| -rw-r--r-- | internal/processor/markdown.go | 8 | ||||
| -rw-r--r-- | internal/processor/processor.go | 7 |
2 files changed, 13 insertions, 2 deletions
diff --git a/internal/processor/markdown.go b/internal/processor/markdown.go index 8d69bfe..e09cf59 100644 --- a/internal/processor/markdown.go +++ b/internal/processor/markdown.go @@ -17,7 +17,10 @@ import ( // We use it to discover local asset references that must be copied. var imageRefPattern = regexp.MustCompile(`!\[[^\]]*\]\(([^)]+)\)`) -// processMd converts a Markdown file to an HTML snippet. +// processMd converts a Markdown file to an HTML snippet for a trusted inbox source. +// The markdown (including any raw HTML blocks) is treated as author-controlled +// content, not user-generated input from strangers; see the package comment. +// // Returns the HTML and a list of local image filenames referenced in the document. // Referenced images that exist alongside the source file are returned so the // caller can copy them into the post asset directory. @@ -33,7 +36,8 @@ func processMd(path string) (htmlContent string, localImages []string, err error md := goldmark.New( goldmark.WithExtensions(extension.GFM), goldmark.WithRendererOptions( - html.WithUnsafe(), // Allow raw HTML in markdown (user-controlled content). + // Trusted inbox: preserve raw HTML in markdown (see package comment). + html.WithUnsafe(), ), ) diff --git a/internal/processor/processor.go b/internal/processor/processor.go index b6fa40b..34aca90 100644 --- a/internal/processor/processor.go +++ b/internal/processor/processor.go @@ -2,6 +2,13 @@ // each one into a self-contained post directory under outdir/posts/. // Supported formats: .txt, .md, .png, .jpg, .jpeg, .gif, .mp3. // Each processed source file is deleted from the input directory afterward. +// +// Markdown trust boundary: .md files are expected only from a trusted personal +// inbox (the operator’s own email or equivalent). Goldmark is configured with +// html.WithUnsafe so raw HTML and GFM features in those files pass through to +// post HTML intentionally. This is not a multi-tenant or public-submission +// pipeline; do not point an untrusted drop folder at the same input directory +// without replacing that rendering path with sanitization or a stricter parser. package processor import ( |