Allow disabled checkbox inputs for markdown

Author: mjbvz

src/vs/base/browser/markdownRenderer.ts

@@ -424,6 +424,11 @@ function sanitizeRenderedMarkdown(
 	return domSanitize.sanitizeHtml(renderedMarkdown, sanitizerConfig);
 }
 
+export const allowedMarkdownHtmlTags = Object.freeze([
+	...domSanitize.basicMarkupHtmlTags,
+	'input', // Allow inputs for rendering checkboxes. Other types of inputs are removed and the inputs are always disabled
+]);
+
 export const allowedMarkdownHtmlAttributes = [
 	'align',
 	'autoplay',
@@ -483,7 +488,7 @@ function getSanitizerOptions(isTrusted: boolean | MarkdownStringTrustedOptions,
 		// HTML tags that can result from markdown are from reading https://spec.commonmark.org/0.29/
 		// HTML table tags that can result from markdown are from https://github.github.com/gfm/#tables-extension-
 		allowedTags: {
-			override: options.allowedTags?.override ?? domSanitize.basicMarkupHtmlTags
+			override: options.allowedTags?.override ?? allowedMarkdownHtmlTags
 		},
 		allowedAttributes: {
 			override: allowedMarkdownHtmlAttributes,

src/vs/workbench/contrib/chat/browser/chatMarkdownRenderer.ts

@@ -18,7 +18,7 @@ import { IOpenerService } from '../../../../platform/opener/common/opener.js';
 import product from '../../../../platform/product/common/product.js';
 import { REVEAL_IN_EXPLORER_COMMAND_ID } from '../../files/browser/fileConstants.js';
 
-export const allowedChatMarkdownHtmlTags = [
+export const allowedChatMarkdownHtmlTags = Object.freeze([
 	'b',
 	'blockquote',
 	'br',
@@ -53,7 +53,9 @@ export const allowedChatMarkdownHtmlTags = [
 	// Not in the official list, but used for codicons and other vscode markdown extensions
 	'span',
 	'div',
-];
+
+	'input', // Allowed for rendering checkboxes. Other types of inputs are removed and the inputs are always disabled
+]);
 
 /**
  * This wraps the MarkdownRenderer and applies sanitizer options needed for Chat.