Browse Source

Add XSS for markdown-html rendering

master
Menci 8 years ago
parent
commit
eb94f5381d
  1. 3
      package.json
  2. 10
      utility.js

3
package.json

@ -45,6 +45,7 @@
"session-file-store": "^1.0.0", "session-file-store": "^1.0.0",
"sqlite3": "^3.1.4", "sqlite3": "^3.1.4",
"syzoj-divine": "^1.0.0", "syzoj-divine": "^1.0.0",
"tmp-promise": "^1.0.3" "tmp-promise": "^1.0.3",
"xssfilter": "^0.5.3"
} }
} }

10
utility.js

@ -72,23 +72,27 @@ module.exports = {
return path.resolve.apply(null, a); return path.resolve.apply(null, a);
}, },
markdown(obj, keys, noReplaceUI) { markdown(obj, keys, noReplaceUI) {
let xssfilter = new (require('xssfilter'))();
let replaceXSS = s => {
return xssfilter.filter(s);
};
let replaceUI = s => { let replaceUI = s => {
if (noReplaceUI) return s; if (noReplaceUI) return s;
return s.split('<pre>').join('<div class="ui existing segment"><pre style="margin-top: 0; margin-bottom: 0; ">').split('</pre>').join('</pre></div>') return s.split('<pre>').join('<div class="ui existing segment"><pre style="margin-top: 0; margin-bottom: 0; ">').split('</pre>').join('</pre></div>')
.split('<table>').join('<table class="ui table">') .split('<table>').join('<table class="ui table">')
.split('<blockquote>').join('<div class="ui message">').split('</blockquote>').join('</div>'); .split('<blockquote>').join('<div class="ui message">').split('</blockquote>').join('</div>');
} };
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
if (!keys) { if (!keys) {
if (!obj || !obj.trim()) resolve(""); if (!obj || !obj.trim()) resolve("");
else renderer(obj, s => { else renderer(obj, s => {
resolve(replaceUI(s)); resolve(replaceUI(replaceXSS(s)));
}); });
} else { } else {
let res = obj, cnt = keys.length; let res = obj, cnt = keys.length;
for (let key of keys) { for (let key of keys) {
renderer(res[key], (s) => { renderer(res[key], (s) => {
res[key] = replaceUI(s); res[key] = replaceUI(replaceXSS(s));
if (!--cnt) resolve(res); if (!--cnt) resolve(res);
}); });
} }

Loading…
Cancel
Save