-
Notifications
You must be signed in to change notification settings - Fork 28.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Motivate extensions to upgrade to MarkdownString #33577
Comments
Extensions that are known to use command-links and that need updating during the September timeframe:
|
// trusted
new MarkdownString('[My Cool Feature](command:myTrustedContents)', true) The // trusted
const md = new MarkdownString('[My Cool Feature](command:myTrustedContents)');
md.isTrusted = true; ? |
TypeScript does not recognize MarkdownString, either as a stand-alone constant or inside the vscode namespace.
I'm using vscode module 1.1.5 and engine 1.5.0. I fetched vscode.d.ts from https://raw.githubusercontent.com/Microsoft/vscode/4fc690be310dd02e0ab6529c0b9bf348a8b26a19/src/vs/vscode.d.ts. Is there something I'm missing? |
Good catch @ArtemGovorov - me thinking about new ideas that aren't implemented yet... Yeah, today we only have the property. I'll update the samples... |
@castwide We will ship the 1.16 release today, then you can get the latest API by setting the |
|
It has it. The |
I was looking for an example to replace the language-highlighted version, but found that VS Code's own extensions still use Are you saying this would be replaced with something like |
Almost, newline character after |
Hi all, Kite's maintainer here, I didn't noticed that issue until recently and I just wanted to let you know that our next release will include the change to use |
@jrieken Thanks for clarifying. You're right, it is a bit verbose. What do you think about adding a new method to |
Yeah, we can do that. Actually, internally we have it already and I just didn't know what all to expose in the API... |
Sounds great! Actually, after thinking about it a bit more, perhaps it should just be |
done |
@jrieken Wow, that was fast! A bit nit picky, but since "code block" is generally written as two words, shouldn't the |
Yeah, did that on purpose because it somehow felt better... |
I think this issue can now be closed - LMK if that was the wrong call. Sean |
We will disable command-links in the (deprecated)
MarkedString
and extension should use the newMarkdownString
for command-links.Background
When using markdown-formatted content, VS Code supports "links" that invoke a command, like so:
[Hello](command:myExt.myCommand)
. This is a powerful feature but has a security concern: With a carefully crafted document and an extension that creates a markdown-string from that content users can be tricked into clicking on what appears to be a link but actually executed a command. Consider the following sample:To tackle this, we ask extensions to identify their markdown contents as trusted or not. E.g. TypeScript will say it don't trust markdown contents because it doesn't generate it, it just forwards. Other extensions, esp. those that generate command-links on purpose will mark their contents as trusted. To support that we have introduced a new type,
MarkdownString
. TheMarkdownString
can be used wherever theMarkedString
can be used and when constructing it, you can say if you trust the contents, e.g.The text was updated successfully, but these errors were encountered: