chore: fix XSS in renderer (#880)

7670c953 · boojack · GitHub · 65e9fdea · 7670c953 · 7670c953
Unverified Commit 7670c953 authored Dec 31, 2022 by boojack Committed by GitHub Dec 31, 2022
4 changed files
--- a/web/src/labs/marked/parser/Bold.ts
+++ b/web/src/labs/marked/parser/Bold.ts
 import { marked } from "..";
 import Link from "./Link";
+import PlainText from "./PlainText";

 export const BOLD_REG = /\*\*(.+?)\*\*/;

@@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
    return rawStr;
  }

-  const parsedContent = marked(matchResult[1], [], [Link]);
+  const parsedContent = marked(matchResult[1], [], [Link, PlainText]);
  return `<strong>${parsedContent}</strong>`;
 };


--- a/web/src/labs/marked/parser/BoldEmphasis.ts
+++ b/web/src/labs/marked/parser/BoldEmphasis.ts
 import { marked } from "..";
 import Link from "./Link";
+import PlainText from "./PlainText";

 export const BOLD_EMPHASIS_REG = /\*\*\*(.+?)\*\*\*/;

@@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
    return rawStr;
  }

-  const parsedContent = marked(matchResult[1], [], [Link]);
+  const parsedContent = marked(matchResult[1], [], [Link, PlainText]);
  return `<strong><em>${parsedContent}</em></strong>`;
 };


--- a/web/src/labs/marked/parser/Emphasis.ts
+++ b/web/src/labs/marked/parser/Emphasis.ts
 import { marked } from "..";
 import Link from "./Link";
+import PlainText from "./PlainText";

 export const EMPHASIS_REG = /\*(.+?)\*/;

@@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
    return rawStr;
  }

-  const parsedContent = marked(matchResult[1], [], [Link]);
+  const parsedContent = marked(matchResult[1], [], [Link, PlainText]);
  return `<em>${parsedContent}</em>`;
 };


--- a/web/src/labs/marked/parser/Link.ts
+++ b/web/src/labs/marked/parser/Link.ts
@@ -4,6 +4,7 @@ import Bold from "./Bold";
 import { marked } from "..";
 import InlineCode from "./InlineCode";
 import BoldEmphasis from "./BoldEmphasis";
+import PlainText from "./PlainText";

 export const LINK_REG = /\[(.*?)\]\((.+?)\)+/;

@@ -17,7 +18,7 @@ const renderer = (rawStr: string): string => {
  if (!matchResult) {
    return rawStr;
  }
-  const parsedContent = marked(matchResult[1], [], [InlineCode, BoldEmphasis, Emphasis, Bold]);
+  const parsedContent = marked(matchResult[1], [], [InlineCode, BoldEmphasis, Emphasis, Bold, PlainText]);
  return `<a class='link' target='_blank' rel='noreferrer' href='${escape(matchResult[2])}'>${parsedContent}</a>`;
 };