ulysia/szurubooru
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

client/markdown: use DOMPurify over marked.js sanitizer

Browse source 
See markedjs/marked#1232
This commit is contained in:
Shyam Sunder 2020-06-23 13:24:59 -04:00
parent 342ca9ccba
commit 0137cf383a
4 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
client/build.js
View file

@ -21,6 +21,7 @@ const webapp_splash_screens = [
]; ];
const external_js = [ const external_js = [
'dompurify',
'js-cookie', 'js-cookie',
'marked', 'marked',
'mousetrap', 'mousetrap',

7
client/js/util/markdown.js
View file

@ -1,6 +1,7 @@
"use strict"; "use strict";
const marked = require("marked"); const marked = require("marked");
const DOMPurify = require("dompurify");
class BaseMarkdownWrapper { class BaseMarkdownWrapper {
preprocess(text) { preprocess(text) {
@ -158,7 +159,6 @@ function formatMarkdown(text) {
const options = { const options = {
renderer: renderer, renderer: renderer,
breaks: true, breaks: true,
sanitize: true,
smartypants: true, smartypants: true,
}; };
let wrappers = [ let wrappers = [
@ -179,7 +179,7 @@ function formatMarkdown(text) {
for (let wrapper of wrappers) { for (let wrapper of wrappers) {
text = wrapper.postprocess(text); text = wrapper.postprocess(text);
} }
return text; return DOMPurify.sanitize(text);
} }
function formatInlineMarkdown(text) { function formatInlineMarkdown(text) {
@ -187,7 +187,6 @@ function formatInlineMarkdown(text) {
const options = { const options = {
renderer: renderer, renderer: renderer,
breaks: true, breaks: true,
sanitize: true,
smartypants: true, smartypants: true,
}; };
let wrappers = [ let wrappers = [
@ -206,7 +205,7 @@ function formatInlineMarkdown(text) {
for (let wrapper of wrappers) { for (let wrapper of wrappers) {
text = wrapper.postprocess(text); text = wrapper.postprocess(text);
} }
return text; return DOMPurify.sanitize(text);
} }
module.exports = { module.exports = {

5
client/package-lock.json generated
View file

@ -1740,6 +1740,11 @@
"integrity": "sha512-jnjyiM6eRyZl2H+W8Q/zLMA481hzi0eszAaBUzIVnmYVDBbnLxVNnfu1HgEBvCbL+71FrxMl3E6lpKH7Ge3OXA==", "integrity": "sha512-jnjyiM6eRyZl2H+W8Q/zLMA481hzi0eszAaBUzIVnmYVDBbnLxVNnfu1HgEBvCbL+71FrxMl3E6lpKH7Ge3OXA==",
"dev": true "dev": true
}, },
"dompurify": {
"version": "2.0.11",
"resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.0.11.tgz",
"integrity": "sha512-qVoGPjIW9IqxRij7klDQQ2j6nSe4UNWANBhZNLnsS7ScTtLb+3YdxkRY8brNTpkUiTtcXsCJO+jS0UCDfenLuA=="
},
"duplexer2": { "duplexer2": {
"version": "0.1.4", "version": "0.1.4",
"resolved": "https://registry.npmjs.org/duplexer2/-/duplexer2-0.1.4.tgz", "resolved": "https://registry.npmjs.org/duplexer2/-/duplexer2-0.1.4.tgz",

1
client/package.json
View file

@ -6,6 +6,7 @@
"watch": "c1=\"\";while :;do c2=$(find html js css img -type f -and -not -iname '*autogen*'|sort|xargs cat|md5sum);[[ $c1 != $c2 ]]&&npm run build -- --debug --no-vendor-js;c1=$c2;sleep 1;done" "watch": "c1=\"\";while :;do c2=$(find html js css img -type f -and -not -iname '*autogen*'|sort|xargs cat|md5sum);[[ $c1 != $c2 ]]&&npm run build -- --debug --no-vendor-js;c1=$c2;sleep 1;done"
}, },
"dependencies": { "dependencies": {
"dompurify": "^2.0.11",
"font-awesome": "^4.7.0", "font-awesome": "^4.7.0",
"ios-inner-height": "^1.0.3", "ios-inner-height": "^1.0.3",
"js-cookie": "^2.2.0", "js-cookie": "^2.2.0",