`JsonTableFilter` is hard to reason about and not completely safe about its input. We should fix this. ### It's hard to understand It took me a while to realise how the field/key inferring behaviour worked. ### Markdown in cells isn't escaped, so whatever you enter is treated verbatim as part of the put-together pipe-syntax table ````markdown ```json:table { "fields" : [ {"key": "a", "label": "A"}, {"key": "b", "label": "B"} ], "items" : [ {"a": "11 | The &quot;Invisible!&quot; text in the b cell will never be displayed.", "b": "**Invisible!**"}, {"a": "Hi", "b": "ok"} ], "markdown" : true } ``` ```` > {width=469 height=159} You can enter a `\n` to immediately cut the table short, too. ### `data-table-fields` is passed through from user input all the way to the frontend We write it out and permit it without any kind of extra sanitisation on the backend. This means a user can directly enter whatever they like here, too, with unpredictable side-effects. ### Fields don't support Markdown, except when they do The docs say: > You can use the markdown attribute to allow for GitLab Flavored Markdown in the items and caption, including GitLab references. Fields do not support Markdown. But the field Markdown _is_ rendered on the backend! It's just replaced immediately by the frontend. This means the RTE processes it, and if you edit it, it'll get saved back out and rendered that way: ````markdown ```json:table { "fields": [{ "key": "starts_at", "label": "Date <em>hello</em>", "sortable": true }], "items": [ {"starts_at": "_2024-10-07_ :white_check_mark: 👍"} ], "markdown": true } ``` ```` | Preview | Rich-text editor | | :-: | :-: | | {width=229 height=127} | {width=180 height=126} |