Paste external image sources into markdown editor #1103
Description
Description
Our current set of CSP rules doesn't allow pasting image sources as external URLs into a markdown file. This feels like a bug and we should improve it. At the same time we don't want to open an attack vector for XSS attacks, tracking etc via malicious images.
User Stories
-
As a user writing markdown files, I want to paste external image urls and have a rendered preview so that I don't need to bloat the file size of my markdown file.
-
As an admin I want to protect my users from XSS attacks and tracking via external image urls so that I sleep well.
Value
External images in markdown files.
Acceptance Criteria
- Pasting a URL to an external image source leads to the image being rendered in the web ui
- Downloading the markdown file doesn't break the image rendering in a locally installed editor/viewer
- Uploading a markdown file with external image sources leads to the images being rendered in the web ui
- The thumbnailer accepts external image URLs as input
- The image is served via an internal (own) URL
- The output is XSS-safe, i.e. sanitized and free of malicious code
note: a CSP rule of img-src: * makes all of this possible but is considered dangerous. Hence we need another solution.
Definition of ready
- Everybody needs to understand the value written in the user story
- Acceptance criteria have to be defined
- All dependencies of the user story need to be identified
- Feature should be seen from an end user perspective
- Story has to be estimated
- Story points need to be less than 20
Definition of done
- Functional requirements
- Functionality described in the user story works
- Acceptance criteria are fulfilled
- Quality
- Code review happened
- CI is green (that includes new and existing automated tests)
- Critical code received unit tests by the developer
- Non-functional requirements
- No sonar cloud issues
- Configuration changes
- The next branch of the OpenCloud charts is compatible