Stream: contributing

Topic: inline styles in tutorial tables


view this post on Zulip Richard Feldman (Mar 11 2023 at 21:46):

I see some <th style="text-align: center">s in our /tutorial, also in some <td>s. This is a problem because our content-security policy on the website prohibits inline styles, so if you open the browser inspector on https://www.roc-lang.org/builtins/List right now, there are 30 errors for content-security violations (and also those inline styles are being ignored)

view this post on Zulip Richard Feldman (Mar 11 2023 at 21:47):

I don't see any instances of text-align in our source code outside .css files (where it's fine), so this is presumably coming from a third-party library (e.g. one that generates tables from markdown possibly?)

view this post on Zulip Richard Feldman (Mar 11 2023 at 21:47):

does anyone know where that might be happening?

view this post on Zulip Fabian Schmalzried (Mar 11 2023 at 22:38):

It' gfm tables: https://github.github.com/gfm/#tables-extension-
And how it is implemented in pulldown-cmark: https://github.com/raphlinus/pulldown-cmark/blob/5c7881c45c1b9cb35e8c9417f09521f7a517b8cf/src/html.rs#L197

Quick fix would be to remove the : in the markdown table delimiter rows.

view this post on Zulip Richard Feldman (Mar 11 2023 at 22:43):

oh nice! Want to open a PR for that? :smiley:

view this post on Zulip Fabian Hoffmann (Mar 11 2023 at 23:07):

(deleted)

view this post on Zulip Fabian Schmalzried (Mar 11 2023 at 23:10):

I can probably do it on Monday. Or someone else is faster.

view this post on Zulip Richard Feldman (Mar 12 2023 at 00:13):

awesome, thank you for taking it on! :heart:

view this post on Zulip Luke Boswell (Mar 12 2023 at 01:48):

I can do it later this arvo. I'll add it to the fix for colors and some other updates I have queued for tutorial.

view this post on Zulip Luke Boswell (Mar 12 2023 at 06:13):

Here is the PR #5123 which should fix it. I can see the styles are removed, but not sure how to see if it still has security violations.

view this post on Zulip Richard Feldman (Mar 12 2023 at 10:31):

yeah it's tricky unfortunately - you have to set up a whole local server with that same content security policy


Last updated: Jul 05 2025 at 12:14 UTC