tetalab/wiki_thsf_2015
18
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

sanitize markdown: meh no trivial xss

Browse Source
This commit is contained in:
ang-st 2015-03-30 23:17:58 +01:00
parent 600206f50f
commit 3becc60721
8 changed files with 31 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
db.js
View File

@ -1,10 +1,18 @@
var FS = require('fs'); var FS = require('fs');
var Path = require('path'); var Path = require('path');
var Markdown = require('markdown').markdown; var Markdown = require("marked");
var knex = require("knex"); var knex = require("knex");
var Bookshelf = require('bookshelf'); var Bookshelf = require('bookshelf');
Markdown.setOptions({
renderer: new Markdown.Renderer(),
gfm: true,
tables: true,
sanitize: true
})
// This function is used to map wiki page names to files // This function is used to map wiki page names to files
// on the real filesystem. // on the real filesystem.
function pathFromName(name) { function pathFromName(name) {
@ -31,7 +39,7 @@ exports.loadPage = function (name, callback) {
} }
// Parse and render the markdown. // Parse and render the markdown.
var tree = Markdown.parse(markdown); /*var tree = Markdown.parse(markdown);
var title = name; var title = name;
for (var i = 1, l = tree.length; i < l; i++) { for (var i = 1, l = tree.length; i < l; i++) {
if (tree[i] && tree[i][0] === "header") { if (tree[i] && tree[i][0] === "header") {
@ -39,12 +47,12 @@ exports.loadPage = function (name, callback) {
tree.splice(i, 1); tree.splice(i, 1);
break; break;
} }
} }*/
var html = Markdown.toHTML(tree); var html = Markdown(markdown);
callback(null, { callback(null, {
name: name, name: name,
title: title, title: null,
exists: exists, exists: exists,
markdown: markdown, markdown: markdown,
html: html, html: html,

1
package.json
View File

@ -12,6 +12,7 @@
"jade": ">= 0.0.1", "jade": ">= 0.0.1",
"knex": "^0.7.6", "knex": "^0.7.6",
"markdown": "~0.3.1", "markdown": "~0.3.1",
"marked": "^0.3.3",
"passport-local": "^1.0.0", "passport-local": "^1.0.0",
"trycatch": "~0.0.9" "trycatch": "~0.0.9"
} }

6
pages/home.markdown
View File

@ -1,4 +1,6 @@
###Hello THSF ###Hello THSF
this is a simple wiki :) this is a simple and stupid wiki :)
![](http://stuffpoint.com/lol-cats/image/29077-lol-cats-magical-kitteh.png) ![](http://stuffpoint.com/lol-cats/image/29077-lol-cats-magical-kitteh.png)
<script> alert('loool'); </script>

7
pages/zoor.markdown Normal file
View File

@ -0,0 +1,7 @@
# zoor
| Tables | Are | Cool |
| ------------- |:-------------:| -----:|
| col 3 is | right-aligned | $1600 |
| col 2 is | centered | $12 |
| zebra stripes | are neat | $1 |

BIN
views/.layout.jade.swp Normal file
View File

Binary file not shown.

3
views/edit.jade
View File

@ -1,4 +1,5 @@
include ./layout.jade
h1= title h1= title
form(method="post", action="/" + name) form(method="post", action="/" + name)
textarea(name="markdown")= markdown textarea(name="markdown")= markdown
input(type="submit") input(type="submit")

4
views/layout.jade
View File

@ -1,6 +1,6 @@
!!! doctype html
html html
head head
title= title title= title
link(rel='stylesheet', href='/stylesheets/style.css') link(rel='stylesheet', href='/stylesheets/style.css')
body!= body body!= body

3
views/view.jade
View File

@ -1,3 +1,4 @@
include ./layout.jade
h1= title h1= title
.article!= html .article!= html
a(href="/" + name + "/edit")= "Edit this Page" a(href="/" + name + "/edit")= "Edit this Page"