diff options
| author | Raphael Kabo <raphaelkabo@hey.com> | 2023-10-09 11:05:39 +0100 |
|---|---|---|
| committer | Raphael Kabo <raphaelkabo@hey.com> | 2023-10-09 11:05:39 +0100 |
| commit | 31022a7d323a351041b7b8508fb56c14fd699580 (patch) | |
| tree | 693f324550dccedd50b6313165b88281a8ebcac8 | |
| parent | 6af99ef4c0c3a28a29bad9f4c66e41d0365234cc (diff) | |
Sanitize Markdown HTML output everywhere
| -rw-r--r-- | src/routes/event.ts | 4 | ||||
| -rw-r--r-- | src/routes/frontend.ts | 8 |
2 files changed, 7 insertions, 5 deletions
diff --git a/src/routes/event.ts b/src/routes/event.ts index 2245009..cfd877e 100644 --- a/src/routes/event.ts +++ b/src/routes/event.ts @@ -2,7 +2,6 @@ import { Router, Response, Request } from "express"; import multer from "multer"; import Jimp from "jimp"; import moment from "moment-timezone"; -import { marked } from "marked"; import { generateEditToken, generateEventID, @@ -26,6 +25,7 @@ import getConfig from "../lib/config.js"; import { sendEmailFromTemplate } from "../lib/email.js"; import crypto from "crypto"; import ical from "ical"; +import { markdownToSanitizedHTML } from "../util/markdown.js"; const config = getConfig(); @@ -148,7 +148,7 @@ router.post( eventID, config.general.domain, publicKey, - marked.parse(eventData.eventDescription), + markdownToSanitizedHTML(eventData.eventDescription), eventData.eventName, eventData.eventLocation, eventImageFilename, diff --git a/src/routes/frontend.ts b/src/routes/frontend.ts index cdf314c..c405572 100644 --- a/src/routes/frontend.ts +++ b/src/routes/frontend.ts @@ -1,7 +1,7 @@ import { Router, Request, Response } from "express"; import moment from "moment-timezone"; import { marked } from "marked"; -import { renderPlain } from "../util/markdown.js"; +import { markdownToSanitizedHTML, renderPlain } from "../util/markdown.js"; import getConfig, { frontendConfig } from "../lib/config.js"; import { addToLog, exportICal } from "../helpers.js"; import Event from "../models/Event.js"; @@ -91,7 +91,7 @@ router.get("/:eventID", async (req: Request, res: Response) => { eventHasBegun = true; } let fromNow = moment.tz(event.start, event.timezone).fromNow(); - let parsedDescription = marked.parse(event.description); + let parsedDescription = markdownToSanitizedHTML(event.description); let eventEditToken = event.editToken; let escapedName = event.name.replace(/\s+/g, "+"); @@ -262,7 +262,9 @@ router.get("/group/:eventGroupID", async (req: Request, res: Response) => { if (!eventGroup) { return res.status(404).render("404", frontendConfig()); } - const parsedDescription = marked.parse(eventGroup.description); + const parsedDescription = markdownToSanitizedHTML( + eventGroup.description, + ); const eventGroupEditToken = eventGroup.editToken; const escapedName = eventGroup.name.replace(/\s+/g, "+"); const eventGroupHasCoverImage = !!eventGroup.image; |