From 1a145fd1366772f8e161d0194588d0d919d721fe Mon Sep 17 00:00:00 2001 From: Shawn Yuan <128874481+shuaiyuanxx@users.noreply.github.com> Date: Mon, 29 Dec 2025 14:23:16 +0800 Subject: [PATCH] Fix peek issue (#44456) ## Summary of the Pull Request This pull request focuses on improving the security and behavior of Markdown file previews. The main changes include disabling HTML rendering in Markdown to prevent potential security issues, and ensuring that the `IsDevFilePreview` flag is set correctly when previewing Markdown files. **Markdown rendering and preview behavior:** * Disabled HTML rendering in the Markdown pipeline by adding `.DisableHtml()` in `MarkdownHelper.MarkdownHtml`, which helps prevent XSS and other security issues in file previews. * Explicitly set `IsDevFilePreview` to `false` when handling Markdown files in `WebBrowserPreviewer`, ensuring correct preview state. ## PR Checklist - [ ] Closes: #xxx - [ ] **Communication:** I've discussed this with core contributors already. If the work hasn't been agreed, this work might be rejected - [ ] **Tests:** Added/updated and all pass - [ ] **Localization:** All end-user-facing strings can be localized - [ ] **Dev docs:** Added/updated - [ ] **New binaries:** Added on the required places - [ ] [JSON for signing](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ESRPSigning_core.json) for new binaries - [ ] [WXS for installer](https://github.com/microsoft/PowerToys/blob/main/installer/PowerToysSetup/Product.wxs) for new binaries and localization folder - [ ] [YML for CI pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/ci/templates/build-powertoys-steps.yml) for new test projects - [ ] [YML for signed pipeline](https://github.com/microsoft/PowerToys/blob/main/.pipelines/release.yml) - [ ] **Documentation updated:** If checked, please file a pull request on [our docs repo](https://github.com/MicrosoftDocs/windows-uwp/tree/docs/hub/powertoys) and link it here: #xxx ## Detailed Description of the Pull Request / Additional comments ## Validation Steps Performed --- src/common/FilePreviewCommon/MarkdownHelper.cs | 2 +- .../Previewers/WebBrowserPreviewer/WebBrowserPreviewer.cs | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/common/FilePreviewCommon/MarkdownHelper.cs b/src/common/FilePreviewCommon/MarkdownHelper.cs index 2003df3340..6573b8b5ef 100644 --- a/src/common/FilePreviewCommon/MarkdownHelper.cs +++ b/src/common/FilePreviewCommon/MarkdownHelper.cs @@ -39,7 +39,7 @@ namespace Microsoft.PowerToys.FilePreviewCommon var softlineBreak = new Markdig.Extensions.Hardlines.SoftlineBreakAsHardlineExtension(); MarkdownPipelineBuilder pipelineBuilder; - pipelineBuilder = new MarkdownPipelineBuilder().UseAdvancedExtensions().UseEmojiAndSmiley().UseYamlFrontMatter().UseMathematics(); + pipelineBuilder = new MarkdownPipelineBuilder().UseAdvancedExtensions().UseEmojiAndSmiley().UseYamlFrontMatter().UseMathematics().DisableHtml(); pipelineBuilder.Extensions.Add(extension); pipelineBuilder.Extensions.Add(softlineBreak); diff --git a/src/modules/peek/Peek.FilePreviewer/Previewers/WebBrowserPreviewer/WebBrowserPreviewer.cs b/src/modules/peek/Peek.FilePreviewer/Previewers/WebBrowserPreviewer/WebBrowserPreviewer.cs index 4d4cf315b4..bd9fb24cb3 100644 --- a/src/modules/peek/Peek.FilePreviewer/Previewers/WebBrowserPreviewer/WebBrowserPreviewer.cs +++ b/src/modules/peek/Peek.FilePreviewer/Previewers/WebBrowserPreviewer/WebBrowserPreviewer.cs @@ -130,6 +130,7 @@ namespace Peek.FilePreviewer.Previewers } else if (isMarkdown) { + IsDevFilePreview = false; var raw = await ReadHelper.Read(File.Path.ToString()); Preview = new Uri(MarkdownHelper.PreviewTempFile(raw, File.Path, TempFolderPath.Path)); }