From eb94f5381dd15eb6316ded72dae7c3aa32b9d93d Mon Sep 17 00:00:00 2001
From: Menci <HuangHaoRui301@Gmail.com>
Date: Sat, 15 Apr 2017 21:46:04 +0800
Subject: [PATCH] Add XSS for markdown-html rendering

---
 package.json |  3 ++-
 utility.js   | 10 +++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/package.json b/package.json
index 4ba22ba..66d4dae 100644
--- a/package.json
+++ b/package.json
@@ -45,6 +45,7 @@
     "session-file-store": "^1.0.0",
     "sqlite3": "^3.1.4",
     "syzoj-divine": "^1.0.0",
-    "tmp-promise": "^1.0.3"
+    "tmp-promise": "^1.0.3",
+    "xssfilter": "^0.5.3"
   }
 }
diff --git a/utility.js b/utility.js
index b4dc8fd..4cdaf82 100644
--- a/utility.js
+++ b/utility.js
@@ -72,23 +72,27 @@ module.exports = {
     return path.resolve.apply(null, a);
   },
   markdown(obj, keys, noReplaceUI) {
+    let xssfilter = new (require('xssfilter'))();
+    let replaceXSS = s => {
+      return xssfilter.filter(s);
+    };
     let replaceUI = s => {
         if (noReplaceUI) return s;
         return s.split('<pre>').join('<div class="ui existing segment"><pre style="margin-top: 0; margin-bottom: 0; ">').split('</pre>').join('</pre></div>')
                 .split('<table>').join('<table class="ui table">')
                 .split('<blockquote>').join('<div class="ui message">').split('</blockquote>').join('</div>');
-    }
+    };
     return new Promise((resolve, reject) => {
       if (!keys) {
         if (!obj || !obj.trim()) resolve("");
         else renderer(obj, s => {
-            resolve(replaceUI(s));
+            resolve(replaceUI(replaceXSS(s)));
         });
       } else {
         let res = obj, cnt = keys.length;
         for (let key of keys) {
           renderer(res[key], (s) => {
-            res[key] = replaceUI(s);
+            res[key] = replaceUI(replaceXSS(s));
             if (!--cnt) resolve(res);
           });
         }