Allow customizing html escape when export note

[ZeroX-DG]

When exporting note to html they are escaped before export, if user doesn't want to escape it (#1893) Then they can customize it in export tab in setting.

[ehhc]

Did you try to export a note containing an attachment without the escaped html? I've not tried it but i would guess it is not working anymore because my attachment management code is not able to figure out which links are attachment links.
Could you try it?

[ZeroX-DG]

@ehhc Well, good news ! it's still works.

However, the old bug "image-not-show-when-drop" occurred again (#1822). And of course the image displayed again when I toggle the mode.

[ehhc]

@ZeroX-DG to be honest, with my refactoring i broke your fix again..
i also opened a PR for it but it was closed "since it is already fixed".. -.-

You could simply insert another key then the preview should work as expected .. :)

i will include a fix for that again :)

[ehhc]

conserning your fix. I would vote against giving the option to disable the html escaping since it is a very very important security feature.
Btw: the problem of #1893 is not that the html get escaped but that it is down in a wrong way.

input:
"}, "2":{"

expected:
<pre><code>&quot;}, &quot;2&quot;:{&quot; </code></pre>

acutal:
<pre><code>&amp;quot;}, &amp;quot;2&amp;quot;:{&amp;quot;</code></pre>

as you see the problem is that the & is wrongly escaped as well.. that's the problem.. not the escaping itself

it think we escape the html two times instead of the needed one time.. but i don't know where we do that at the moment..

[ZeroX-DG]

@ehhc Oh, I see the problem there! thank you. Hmm...I also think that allow unescaped html is pretty dangerous, but I want to keep the option there to increase the "customizability" of boostnote, beside, the html is escaped by default, if the user choose to turn that feature of, he/she probably knows what he/she is doing (I hope so 😄 ). Anyway, I'll try to investigate the "double-escaped-html" issue and submit a fix right here.

[ehhc]

Even though i understand your argument about customization, i think giving users the possibility to do potential harmful things seems not to be a good idea in my opinion..

[ZeroX-DG]

@ehhc I fixed the double escaped html. We gonna need to vote whether the option should be there or not 😄 @kazup01 What do you think?

[ehhc]

and i think we should ask @Rokt33r as well

[nlopin]

Have you tested the speed between the current and new version of the function?

From my point of view, 6 replaces is the slower solution than previous. Instead of searching the whole text (which can be big) only once it is done 6 times in a row.

[ZeroX-DG]

Yes, I've noticed that and discovered that your version seem to work fine and not the source of the problem as when I revert to your version and change the escape for the & char to '&ampssssss;' The html exported still use & which is quite wierd and I'll re-investigate the problem.

[ZeroX-DG]

@nlopin @Rokt33r @ehhc , The problem is more complicated than I thought.

• If we don't escape html -> markdown it will filter non-html tag which causing this problem: Tags not escape on exporting to .html #1728
• If we escape html -> tags will be escaped and can be render in html but if escaped strings is a part of a code block -> markdown it will escape everything in code block -> double escaped strings, which is this problem: Double quotes rendered as encoded string within MD frames in HTML exported notes #1893
  So, I have to make a new escape html function that can detect code block and skip all characters needed to be escape that located in the code block.

Sorry for the delay, I almost forgot about this PR 😄

[ZeroX-DG]

After reading the issue: #1728, I think the option for customizing whether the html should be escape or not is redundant so I won't add it into the code.

[Rokt33r]

@Rokt33r After merging, a sanitizing method for code fences must be replaced with this escape method for better performance. #2191
(this is a reminder for me)