chore: fix XSS in renderer (#880)

usememos · Dec 31, 2022 · 7670c95 · 7670c95
1 parent 65e9fde
commit 7670c95
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 4 deletions.
diff --git a/web/src/labs/marked/parser/Bold.ts b/web/src/labs/marked/parser/Bold.ts
@@ -1,5 +1,6 @@
 import { marked } from "..";
 import Link from "./Link";
+import PlainText from "./PlainText";
 
 export const BOLD_REG = /\*\*(.+?)\*\*/;
 
@@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
     return rawStr;
   }
 
-  const parsedContent = marked(matchResult[1], [], [Link]);
+  const parsedContent = marked(matchResult[1], [], [Link, PlainText]);
   return `<strong>${parsedContent}</strong>`;
 };
 

diff --git a/web/src/labs/marked/parser/BoldEmphasis.ts b/web/src/labs/marked/parser/BoldEmphasis.ts
@@ -1,5 +1,6 @@
 import { marked } from "..";
 import Link from "./Link";
+import PlainText from "./PlainText";
 
 export const BOLD_EMPHASIS_REG = /\*\*\*(.+?)\*\*\*/;
 
@@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
     return rawStr;
   }
 
-  const parsedContent = marked(matchResult[1], [], [Link]);
+  const parsedContent = marked(matchResult[1], [], [Link, PlainText]);
   return `<strong><em>${parsedContent}</em></strong>`;
 };
 

diff --git a/web/src/labs/marked/parser/Emphasis.ts b/web/src/labs/marked/parser/Emphasis.ts
@@ -1,5 +1,6 @@
 import { marked } from "..";
 import Link from "./Link";
+import PlainText from "./PlainText";
 
 export const EMPHASIS_REG = /\*(.+?)\*/;
 
@@ -14,7 +15,7 @@ const renderer = (rawStr: string): string => {
     return rawStr;
   }
 
-  const parsedContent = marked(matchResult[1], [], [Link]);
+  const parsedContent = marked(matchResult[1], [], [Link, PlainText]);
   return `<em>${parsedContent}</em>`;
 };
 

diff --git a/web/src/labs/marked/parser/Link.ts b/web/src/labs/marked/parser/Link.ts
@@ -4,6 +4,7 @@ import Bold from "./Bold";
 import { marked } from "..";
 import InlineCode from "./InlineCode";
 import BoldEmphasis from "./BoldEmphasis";
+import PlainText from "./PlainText";
 
 export const LINK_REG = /\[(.*?)\]\((.+?)\)+/;
 
@@ -17,7 +18,7 @@ const renderer = (rawStr: string): string => {
   if (!matchResult) {
     return rawStr;
   }
-  const parsedContent = marked(matchResult[1], [], [InlineCode, BoldEmphasis, Emphasis, Bold]);
+  const parsedContent = marked(matchResult[1], [], [InlineCode, BoldEmphasis, Emphasis, Bold, PlainText]);
   return `<a class='link' target='_blank' rel='noreferrer' href='${escape(matchResult[2])}'>${parsedContent}</a>`;
 };