sanitize markdown: meh no trivial xss

2015-03-30 23:17:58 +01:00 · 2015-03-30 23:17:58 +01:00 · 3becc60721
commit 3becc60721
parent 600206f50f
8 changed files with 31 additions and 11 deletions
--- a/db.js
+++ b/db.js
@ -1,10 +1,18 @@
 var FS = require('fs');
 var Path = require('path');
-var Markdown = require('markdown').markdown;
+var Markdown = require("marked");
 var knex = require("knex");

 var Bookshelf = require('bookshelf');

+
+Markdown.setOptions({
+  renderer: new Markdown.Renderer(),
+  gfm: true,
+  tables: true,
+  sanitize: true
+
+})
 // This function is used to map wiki page names to files
 // on the real filesystem.
 function pathFromName(name) {
@ -31,7 +39,7 @@ exports.loadPage = function (name, callback) {
    }

    // Parse and render the markdown.
-    var tree = Markdown.parse(markdown);
+    /*var tree = Markdown.parse(markdown);
    var title = name;
    for (var i = 1, l = tree.length; i < l; i++) {
      if (tree[i] && tree[i][0] === "header") {
@ -39,12 +47,12 @@ exports.loadPage = function (name, callback) {
        tree.splice(i, 1);
        break;
      }
-    }
-    var html = Markdown.toHTML(tree);
+    }*/
+    var html = Markdown(markdown);

    callback(null, {
      name: name,
-      title: title,
+      title: null,
      exists: exists,
      markdown: markdown,
      html: html,
--- a/package.json
+++ b/package.json
@ -12,6 +12,7 @@
    "jade": ">= 0.0.1",
    "knex": "^0.7.6",
    "markdown": "~0.3.1",
+    "marked": "^0.3.3",
    "passport-local": "^1.0.0",
    "trycatch": "~0.0.9"
  }
--- a/pages/home.markdown
+++ b/pages/home.markdown
@ -1,4 +1,6 @@
 ###Hello THSF
-this is a simple wiki :)
+this is a simple and stupid wiki :)

-![](http://stuffpoint.com/lol-cats/image/29077-lol-cats-magical-kitteh.png)
+![](http://stuffpoint.com/lol-cats/image/29077-lol-cats-magical-kitteh.png)
+
+<script> alert('loool'); </script>
--- a/pages/zoor.markdown
+++ b/pages/zoor.markdown
@ -0,0 +1,7 @@
+# zoor
+
+| Tables        | Are           | Cool  |
+| ------------- |:-------------:| -----:|
+| col 3 is      | right-aligned | $1600 |
+| col 2 is      | centered      |   $12 |
+| zebra stripes | are neat      |    $1 |
--- a/views/.layout.jade.swp
+++ b/views/.layout.jade.swp
--- a/views/edit.jade
+++ b/views/edit.jade
@ -1,4 +1,5 @@
+include ./layout.jade
 h1= title
 form(method="post", action="/" + name)
  textarea(name="markdown")= markdown
-  input(type="submit")
+  input(type="submit")
--- a/views/layout.jade
+++ b/views/layout.jade
@ -1,6 +1,6 @@
-!!!
+doctype html
 html
  head
    title= title
    link(rel='stylesheet', href='/stylesheets/style.css')
-  body!= body
+  body!= body
--- a/views/view.jade
+++ b/views/view.jade
@ -1,3 +1,4 @@
+include ./layout.jade
 h1= title
 .article!= html
-a(href="/" + name + "/edit")= "Edit this Page"
+a(href="/" + name + "/edit")= "Edit this Page"