Fix the comments link and markdown rendering issue

[Rajat-Dabade]

Summary

The card with links in the comments was not opening inside the boards. Error when opening the card with a link on the hub in the console:

console.js:288 EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' cdn.rudderlabs.com".

focalboard_9ce1515f8964ad29_bundle.js:2 [1734085501.12] error boundary redirecting to plugins/focalboard/error?id=unknown

This is because of the Content-Security-Policy Policy in webapp. This policy restricts the use of unsafe javascript methods like new Functions(), which can be exploited in injection attacks.

Before we were using the board markdown renderer which was working fine, but due to Respect display name configuration PR the boards now use the Markdown renderer from the web app (Channels).

The current Markdown renderer includes a custom link rendering function:

renderer.link = (href, title, contents) => {
            return '<a ' +
                'target="_blank" ' +
                'rel="noreferrer" ' +
                `href="${encodeURI(decodeURI(href || ''))}" ` +
                `title="${title || ''}" ` +
                `onclick="${(window.openInNewBrowser ? ' openInNewBrowser && openInNewBrowser(event.target.href);' : '')}"` +
            '>' + contents + '</a>'
        }

the link function in the above custom Markdown renderer contributed to the unsafe-eval CSP error, specifically due to the inline onclick function. The onclick attribute in the rendered HTML attempts to execute JavaScript inline. CSP policies typically disallow inline scripts unless explicitly permitted using a CSP directive like 'unsafe-inline'.

Removing the onclick should fix this issue. Anyways target='_blank' will always open the link in a new tab.

Also, there was a markdown rendering issue in the comments inside the cards. This was also fixed in this PR.

Ticket Link

https://mattermost.atlassian.net/browse/MM-62243

Before:

After:

[hmhealey]

Great find! I'm amazed the original version of this worked before your last PR since the CSP header has been the same as far back as I can remember.

[hmhealey]

Have you double checked how Markdown tables render in cards? I see that the renderer returned by Utils.getMarkdownRenderer() also changes how those render as well

[harshilsharma63]

Can we add tests fro this?