docs

lovasoa · lovasoa · commit 8821567251a3 · 2025-02-25T18:38:37.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # CHANGELOG.md
 
+## 0.34.0 (unreleased)
+
+- New configuration options:
+  - `markdown_allow_dangerous_html`: allow the usage of html in markdown (default: false)
+  - `markdown_allow_dangerous_protocol`: allow the usage of custom protocols in markdown (default: false)
+  - see [configuration.md](./configuration.md) for more details.
+
 ## 0.33.1 (2025-02-25)
 
 - Fix a bug where the table component would not format numbers if sorting was not enabled.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "sqlpage"
-version = "0.33.1"
+version = "0.34.0"
 edition = "2021"
 description = "Build data user interfaces entirely in SQL. A web server that takes .sql files and formats the query result using pre-made configurable professional-looking components."
 keywords = ["web", "sql", "framework"]
diff --git a/configuration.md b/configuration.md
@@ -34,8 +34,8 @@ Here are the available configuration options and their default values:
 | `content_security_policy`                     | `script-src 'self' 'nonce-XXX` | The [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to set in the HTTP headers. If you get CSP errors in the browser console, you can set this to the empty string to disable CSP. |
 | `system_root_ca_certificates`                 | false                                                      | Whether to use the system root CA certificates to validate SSL certificates when making http requests with `sqlpage.fetch`. If set to false, SQLPage will use its own set of root CA certificates. If the `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables are set, they will be used instead of the system root CA certificates. |
 | `max_recursion_depth`                         | 10                                                           | Maximum depth of recursion allowed in the `run_sql` function. Maximum value is 255. |
-| `markdown_allow_dangerous_html`               | false                                                        | Whether to allow raw HTML in markdown content. When disabled, HTML tags will be escaped. |
-| `markdown_allow_dangerous_protocol`           | false                                                        | Whether to allow dangerous protocols (like javascript:) in markdown links. When disabled, only safe protocols are allowed. |
+| `markdown_allow_dangerous_html`               | false                                                        | Whether to allow raw HTML in markdown content. Only enable this if the markdown content is fully trusted (not user generated). |
+| `markdown_allow_dangerous_protocol`           | false                                                        | Whether to allow dangerous protocols (like javascript:) in markdown links. Only enable this if the markdown content is fully trusted (not user generated). |
 
 Multiple configuration file formats are supported:
 you can use a [`.json5`](https://json5.org/) file, a [`.toml`](https://toml.io/) file, or a [`.yaml`](https://en.wikipedia.org/wiki/YAML#Syntax) file.
