chore: fix XSS in renderer (#875)

chore: fix xss in renderer
usememos · Dec 29, 2022 · 64e5c34 · 64e5c34
1 parent 9169b3f
commit 64e5c34
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 11 deletions.
diff --git a/web/src/labs/marked/index.ts b/web/src/labs/marked/index.ts
@@ -47,7 +47,7 @@ export const marked = (markdownStr: string, blockParsers = blockElementParserLis
       const matchedLength = matchedStr.length;
       const prefixStr = markdownStr.slice(0, matchedIndex);
       const suffixStr = markdownStr.slice(matchedIndex + matchedLength);
-      return prefixStr + matchedInlineParser.renderer(matchedStr) + marked(suffixStr, [], inlineParsers);
+      return marked(prefixStr, [], inlineParsers) + matchedInlineParser.renderer(matchedStr) + marked(suffixStr, [], inlineParsers);
     }
   }
 

diff --git a/web/src/labs/marked/parser/Bold.ts b/web/src/labs/marked/parser/Bold.ts
@@ -1,4 +1,3 @@
-import { escape } from "lodash";
 import { marked } from "..";
 import Link from "./Link";
 
@@ -15,7 +14,7 @@ const renderer = (rawStr: string): string => {
     return rawStr;
   }
 
-  const parsedContent = marked(escape(matchResult[1]), [], [Link]);
+  const parsedContent = marked(matchResult[1], [], [Link]);
   return `<strong>${parsedContent}</strong>`;
 };
 

diff --git a/web/src/labs/marked/parser/BoldEmphasis.ts b/web/src/labs/marked/parser/BoldEmphasis.ts
@@ -1,4 +1,3 @@
-import { escape } from "lodash";
 import { marked } from "..";
 import Link from "./Link";
 
@@ -15,7 +14,7 @@ const renderer = (rawStr: string): string => {
     return rawStr;
   }
 
-  const parsedContent = marked(escape(matchResult[1]), [], [Link]);
+  const parsedContent = marked(matchResult[1], [], [Link]);
   return `<strong><em>${parsedContent}</em></strong>`;
 };
 

diff --git a/web/src/labs/marked/parser/Emphasis.ts b/web/src/labs/marked/parser/Emphasis.ts
@@ -1,4 +1,3 @@
-import { escape } from "lodash";
 import { marked } from "..";
 import Link from "./Link";
 
@@ -15,7 +14,7 @@ const renderer = (rawStr: string): string => {
     return rawStr;
   }
 
-  const parsedContent = marked(escape(matchResult[1]), [], [Link]);
+  const parsedContent = marked(matchResult[1], [], [Link]);
   return `<em>${parsedContent}</em>`;
 };
 

diff --git a/web/src/labs/marked/parser/Link.ts b/web/src/labs/marked/parser/Link.ts
@@ -17,7 +17,7 @@ const renderer = (rawStr: string): string => {
   if (!matchResult) {
     return rawStr;
   }
-  const parsedContent = marked(escape(matchResult[1]), [], [InlineCode, BoldEmphasis, Emphasis, Bold]);
+  const parsedContent = marked(matchResult[1], [], [InlineCode, BoldEmphasis, Emphasis, Bold]);
   return `<a class='link' target='_blank' rel='noreferrer' href='${escape(matchResult[2])}'>${parsedContent}</a>`;
 };
 

diff --git a/web/src/labs/marked/parser/Strikethrough.ts b/web/src/labs/marked/parser/Strikethrough.ts
@@ -1,4 +1,4 @@
-import { marked } from "..";
+import { escape } from "lodash";
 
 export const STRIKETHROUGH_REG = /~~(.+?)~~/;
 
@@ -13,8 +13,7 @@ const renderer = (rawStr: string): string => {
     return rawStr;
   }
 
-  const parsedContent = marked(matchResult[1], [], []);
-  return `<del>${parsedContent}</del>`;
+  return `<del>${escape(matchResult[1])}</del>`;
 };
 
 export default {