-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow rich content in Mermaid diagrams #5771
Conversation
As discussed at [1], being a static site generator affords MkDocs a higher trust in the source content. If content creators would like to embed HTML/scripts in their diagram, we can allow that. [1]: squidfunk#3812
Thanks for the PR. I'm not sure it's a good idea to enable this for everyone. Please provide some more explanations about the implications and why you think that it's okay to do this. Also, the link is broken. |
The link isn't broken; GitHub's default markdown representation of the commit message is broken. Refer to the commit itself for the link for now, if you would. I'll update the commit message with these details once it's settled, but I've got a need to have an ordered list with links in a flowchart like so:
Without the security level changes from the linked discussion, the |
Thanks. However, we're still missing the following information as asked in my last comment:
|
From mermaid's docs (emphasis mine):
If I understand correctly, the risks incurred involve using a built site as a vector for javascript-based attacks against the client (unless we go with This could realistically come up with untrusted developers in very large teams in a central repository all contributing to a site building untrusted code with Since it doesn't appear that any new attack vectors are opened (at least with my current understanding of how mkdocs-material is used in the wild, which you are certainly a better judge of), the benefits of being able to have rich content in diagrams would seem to outweigh the (lack of) risk. |
Is there any more info you need from me here or is this just waiting for time to review? Just want to make sure you're not waiting for me 🙂 |
We're waiting for feedback for other users, and we're currently very busy restructuring our docs and getting 9.2 into a stable state. Please give us some more time. |
Absolutely understand; not looking to add pressure :-) I know what's like being a maintainer for a popular project. I'll check back in two weeks' time. |
Checking back as promised :-) |
9.2 is still not released (still in beta) and we're busy with the refactoring to allow for better inter-op of the blog plugin with other plugins. We can talk about this once 9.2 is released and the dust settled (i.e. the first wave of issues has been resolved). |
Sounds good. I'll check back after 9.2 is released + whatever 'dust settling time' you think is likely – defaulting to another two weeks. Re any 'dust settling time' estimate you can provide: not looking for anything even resembling a commitment/promise/etc. – I just don't want to clutter your notifications unnecessarily / prematurely 😃 Thanks for your work in maintaining this toolchain. |
You don't need to check back regularly. We tackle this PR once we find the time, you'll get notified when we do 😉 |
I think Mermaid's |
I would agree with @sisp here, it might make sense to add it as a config option. It would also follow mermaid's recommendation:
There are lots of different ways MkDocs pages are deployed sometimes, including various integrations and multirepo plugins pulling in other sources, plugins and configuration, so IMO should be up to the user to decide this. |
Thanks to both of you for your input. Were currently not considering making it configurable via As a workaround, the mkdocs-mermaid2-plugin might allow this already. |
Thanks for the reference! Yes, that plugin does support what I need: https://mkdocs-mermaid2.readthedocs.io/en/latest/tips/#setting-the-security-level-to-loose |
As discussed at 1, being a static site generator affords MkDocs a higher trust in the source content. If content creators would like to embed HTML/scripts in their diagram, we can allow that.