Skip to content

Commit

Permalink
Sanitize hardening, marked#1504
Browse files Browse the repository at this point in the history
  • Loading branch information
@yahtnif
yahtnif committed Jul 6, 2019
1 parent 63bf9d6 commit b512f54
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 5 deletions.
3 changes: 1 addition & 2 deletions __tests__/option/sanitize
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,8 @@ sanitize: true




<p>Image</p>
<p>Image</p>
<p>Image</p>
<p>Image</p>
<p>Image</p>
<p>Image</p>
2 changes: 1 addition & 1 deletion docs/options.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
| nop | Boolean | false | If `true`, an inline text will not be taken in paragraph. |
| pedantic | Boolean | false | If true, conform to the original `markdown.pl` as much as possible. Don't fix original markdown bugs or behavior. Turns off and overrides `gfm`. |
| renderer | Renderer | Renderer | An object containing functions to render tokens to HTML. See [Renderer](#renderer) for more details. |
| sanitize | Boolean | false | If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function. |
| sanitize | Boolean | false | If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function. <br>**Warning**: This feature is deprecated and it should NOT be used as it cannot be considered secure.<br>Instead use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://github.com/bevacqua/insane) on the output HTML! |
| sanitizer | Function | null | A function to sanitize the HTML passed into `markdownString`. |
| silent | Boolean | false | If true, the parser does not throw any exception. |
| slug | Function | str => built_in_slug(str) | Slugify `id` attribute for heading and footnote. |
Expand Down
2 changes: 1 addition & 1 deletion src/block-lexer.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -558,7 +558,7 @@ export class BlockLexer {
this.tokens.push({
type: this.options.sanitize ? TokenType.paragraph : TokenType.html,
pre: !this.options.sanitizer && isPre,
text: execArr[0]
text: this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(execArr[0]) : escape(execArr[0])) : execArr[0]
})
continue
}
Expand Down
7 changes: 7 additions & 0 deletions src/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,13 @@ export default class Smarkdown {
static parse(src: string, options?: Options): string {
try {
const opts: Options = this.getOptions(options)

if (opts && opts.sanitize && !opts.silent) {
console.warn(
'Smarkdown: sanitize and sanitizer parameters are deprecated since version 0.15.0, should not be used and will be removed in the future. Read more here: https://github.com/yahtnif/smarkdown/blob/master/docs/options.md'
)
}

const { tokens, links } = this.callBlockLexer(src, opts)

return this.callParser(tokens, links, opts)
Expand Down
8 changes: 7 additions & 1 deletion src/inline-lexer.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -611,7 +611,13 @@ export class InlineLexer {
nextPart = nextPart.substring(execArr[0].length)

if (this.inRawBlock) {
out += this.renderer.text(execArr[0])
out += this.renderer.text(
this.options.sanitize
? this.options.sanitizer
? this.options.sanitizer(execArr[0])
: escape(execArr[0])
: execArr[0]
)
} else {
out += this.renderer.text(
this.options.escape(this.smartypants(execArr[0]))
Expand Down

0 comments on commit b512f54

Please sign in to comment.