imprv: Restore semantic HTML tags lost in v7.0.10 refactoring

[Copilot]

• Investigate lint error on CI
• Add missing assert import to test file
• Verify import ordering follows Biome configuration

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Restore commonly-used semantic HTML tags lost in v7.0.10 refactoring</issue_title>
<issue_description>Environment

Host

item	version
OS	Docker image
GROWI	7.4.2
node.js	20.19.6
npm	10.8.2
Using Docker	yes
Using growi-docker-compose	yes

(Accessing https://{GROWI_HOST}/admin helps you to fill in above versions)

Client

item	version
OS	Windows 11
browser	Edge 143.0.3650.139

Description

Several commonly-used semantic HTML tags that were available in v6.3.5 are missing from the recommended XSS whitelist in v7.0.10+. This affects users who rely on the "Recommended Settings" option in the Markdown Settings.

How to reproduce (再現手順)

1. Go to Admin > Markdown Settings > XSS Settings
2. Select "Recommended Settings" (おすすめ設定)
3. Create a page with the following HTML tags:

   <mark>highlighted text</mark>
   <small>small text</small>
   <abbr title="HyperText Markup Language">HTML</abbr>
   <cite>Citation example</cite>
   <figure>
     <img src="example.png" alt="Example">
     <figcaption>Figure caption</figcaption>
   </figure>
   <table>
     <caption>Table caption</caption>
     <tr><td>Data</td></tr>
   </table>
   <time datetime="2024-01-01">January 1, 2024</time>

4. Preview or save the page

What happens (症状)

• The above tags are not rendered with proper styling
• They are replaced with <p> tags or stripped out
• Users cannot use these standard HTML elements even though they were available in v6.3.5

What is the expected result (期待される動作)

These tags should be included in the recommended whitelist because:

• They are standard HTML5 semantic elements
• They have no security risks (no script execution capabilities)
• They were available in v6.3.5 and users expect them to work
• They are commonly used in wiki/documentation platforms

Missing tags comparison

Tags lost in v7.0.10+

The following tags were available in v6.3.5 but are missing in v7.4.2:

Tag	Purpose	Common Use Case
<mark>	Text highlighting	Highlighting important text, search results
<small>	Small text	Fine print, disclaimers, side comments
<abbr>	Abbreviation	Marking abbreviations with tooltips
<cite>	Citation	Referencing sources
<figure>	Figure container	Wrapping images with captions
<figcaption>	Figure caption	Adding captions to figures
<caption>	Table caption	Adding captions to tables
<time>	Date/time	Semantic datetime markup
<dfn>	Definition	Defining terms
<bdo>	Bi-directional override	Text direction override
<wbr>	Word break opportunity	Suggesting line break positions

Root cause

In commit 643e2f17b3 (2024-06-10), the whitelist was refactored from a custom tag list to using hast-util-sanitize's defaultSchema.tagNames.

Before (v6.3.5):

// apps/app/src/services/xss/recommended-whitelist.js
const tags = [
  '-', 'a', 'abbr', 'b', /* ... */, 'mark', /* ... */, 'small', /* ... */
];

After (v7.0.10+):

// apps/app/src/services/renderer/recommended-whitelist.ts
export const tagNames: Array<string> = [
  ...defaultSchema.tagNames ?? [],  // Uses hast-util-sanitize defaults
  '-', 'bdi', 'button', 'col', /* ... */
];

The hast-util-sanitize library's default schema is intentionally minimal and doesn't include many semantic HTML tags - not because they're dangerous, but by design philosophy.

Proposed solution

Add the following commonly-used, safe semantic tags back to the custom tag list in apps/app/src/services/renderer/recommended-whitelist.ts:

export const tagNames: Array<string> = [
  ...defaultSchema.tagNames ?? [],
  '-',
  'abbr',      // abbreviation with tooltip
  'bdi',
  'button',
  'caption',   // table caption
  'cite',      // citation
  'col',
  'colgroup',
  'data',
  'figure',    // figure container
  'figcaption', // figure caption
  'iframe',
  'mark',      // text highlighting
  'rb',
  'small',     // small text
  'time',      // datetime
  'u',
  'video',
];

Tags NOT restored:

• <dfn>, <bdo>, <wbr> - Less commonly used, can be added later if requested

I'd be happy to submit a PR if this approach is acceptable.</issue_description>

<agent_instructions>## Additional improvements to the proposed solution:

1. Include all GitHub-allowed tags: Add dfn, bdo, and wbr (these are also...

• Fixes Restore commonly-used semantic HTML tags lost in v7.0.10 refactoring #10700

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[yuki-takei]

@copilot fix lint error on CI

[Copilot]

@copilot fix lint error on CI

Fixed in ce4c9b6. Added the missing assert import that was incorrectly removed during the refactoring.

[mergify]

Merge Queue Status

✅ The pull request has been merged at 487c52d

This pull request spent 12 minutes 10 seconds in the queue, including 11 minutes 59 seconds running CI.
The checks were run on draft #10711.

Required conditions to merge

• -check-failure ~= ci-app-
• -check-failure ~= ci-slackbot-
• -check-failure ~= test-prod-node20 /
• check-success = test-prod-node20 / build-prod
• check-success ~= ci-app-launch-dev
• check-success ~= ci-app-lint
• check-success ~= ci-app-test
• check-success ~= test-prod-node20 / launch-prod
• check-success ~= test-prod-node20 / run-playwright