scl/szurubooru
1
0
Fork 0
mirror of https://github.com/rr-/szurubooru.git synced 2025-07-17 08:26:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge bc7a4cf8c5 into ee7e9ef2a3

Browse Source
This commit is contained in:
Eva
2025-05-23 20:47:42 +02:00
committed by GitHub
parent ee7e9ef2a3 bc7a4cf8c5
commit 561f0b28e9
2 changed files with 15 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
client/js/util/markdown.js
View File

@ -110,24 +110,22 @@ class StrikeThroughWrapper extends BaseMarkdownWrapper {
} }
} }
function createRenderer() { function escapeHtml(unsafe) {
function sanitize(str) { return unsafe
return str.replace(/&<"/g, (m) => { .toString()
if (m === "&") { .replace(/&/g, "&amp;")
return "&amp;"; .replace(/</g, "&lt;")
} .replace(/>/g, "&gt;")
if (m === "<") { .replace(/"/g, "&quot;")
return "&lt;"; .replace(/'/g, "&apos;");
} }
return "&quot;";
});
}
function createRenderer() {
const renderer = new marked.Renderer(); const renderer = new marked.Renderer();
renderer.image = (href, title, alt) => { renderer.image = (href, title, alt) => {
let [_, url, width, height] = let [_, url, width, height] =
/^(.+?)(?:\s=\s*(\d*)\s*x\s*(\d*)\s*)?$/.exec(href); /^(.+?)(?:\s=\s*(\d*)\s*x\s*(\d*)\s*)?$/.exec(href);
let res = '<img src="' + sanitize(url) + '" alt="' + sanitize(alt); let res = '<img src="' + escapeHtml(url) + '" alt="' + escapeHtml(alt);
if (width) { if (width) {
res += '" width="' + width; res += '" width="' + width;
} }
@ -156,6 +154,7 @@ function formatMarkdown(text) {
new SmallWrapper(), new SmallWrapper(),
new StrikeThroughWrapper(), new StrikeThroughWrapper(),
]; ];
text = escapeHtml(text);
for (let wrapper of wrappers) { for (let wrapper of wrappers) {
text = wrapper.preprocess(text); text = wrapper.preprocess(text);
} }
@ -182,6 +181,7 @@ function formatInlineMarkdown(text) {
new SmallWrapper(), new SmallWrapper(),
new StrikeThroughWrapper(), new StrikeThroughWrapper(),
]; ];
text = escapeHtml(text);
for (let wrapper of wrappers) { for (let wrapper of wrappers) {
text = wrapper.preprocess(text); text = wrapper.preprocess(text);
} }
@ -196,4 +196,5 @@ function formatInlineMarkdown(text) {
module.exports = { module.exports = {
formatMarkdown: formatMarkdown, formatMarkdown: formatMarkdown,
formatInlineMarkdown: formatInlineMarkdown, formatInlineMarkdown: formatInlineMarkdown,
escapeHtml: escapeHtml,
}; };

12
client/js/util/misc.js
View File

@ -156,16 +156,6 @@ function makeCssName(text, suffix) {
return suffix + "-" + text.replace(/[^a-z0-9]/g, "_"); return suffix + "-" + text.replace(/[^a-z0-9]/g, "_");
} }
function escapeHtml(unsafe) {
return unsafe
.toString()
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&apos;");
}
function arraysDiffer(source1, source2, orderImportant) { function arraysDiffer(source1, source2, orderImportant) {
source1 = [...source1]; source1 = [...source1];
source2 = [...source2]; source2 = [...source2];
@ -221,7 +211,7 @@ module.exports = {
enableExitConfirmation: enableExitConfirmation, enableExitConfirmation: enableExitConfirmation,
disableExitConfirmation: disableExitConfirmation, disableExitConfirmation: disableExitConfirmation,
confirmPageExit: confirmPageExit, confirmPageExit: confirmPageExit,
escapeHtml: escapeHtml, escapeHtml: markdown.escapeHtml,
makeCssName: makeCssName, makeCssName: makeCssName,
splitByWhitespace: splitByWhitespace, splitByWhitespace: splitByWhitespace,
arraysDiffer: arraysDiffer, arraysDiffer: arraysDiffer,