fix: HTML + mustache interpolations not escaped properly

7 years ago · 4632330d7c
5 changed files with 20 additions and 20 deletions
--- a/server/libs/markdown.js
+++ b/server/libs/markdown.js
@ -25,10 +25,10 @@ var mkdown = md({
      try {
        return '<pre class="hljs"><code>' + hljs.highlight(lang, str, true).value + '</code></pre>'
      } catch (err) {
-        return '<pre><code>' + str + '</code></pre>'
+        return '<pre><code>' + _.escape(str) + '</code></pre>'
      }
    }
-    return '<pre><code>' + str + '</code></pre>'
+    return '<pre><code>' + _.escape(str) + '</code></pre>'
  }
 })
  .use(mdEmoji)
--- a/server/locales/en/common.json
+++ b/server/locales/en/common.json
@ -17,25 +17,26 @@
  },
  "nav": {
    "account": "Account",
-    "settings": "Settings",
-    "myprofile": "My Profile",
-    "stats": "Stats",
-    "syssettings": "System Settings",
-    "theme": "Color Theme",
-    "users": "Users",
-    "logout": "Logout",
+    "allpages": "All Pages",
    "create": "Create",
+    "discard": "Discard",
    "edit": "Edit",
    "history": "History",
-    "source": "Source",
-    "move": "Move",
-    "allpages": "All Pages",
+    "home": "Home",
    "login": "Login",
+    "logout": "Logout",
+    "move": "Move",
+    "myprofile": "My Profile",
    "normalview": "Normal View",
-    "viewlatest": "View Latest",
-    "discard": "Discard",
    "savechanges": "Save Changes",
-    "savedocument": "Save Document"
+    "savedocument": "Save Document",
+    "settings": "Settings",
+    "source": "Source",
+    "stats": "Stats",
+    "syssettings": "System Settings",
+    "theme": "Color Theme",
+    "users": "Users",
+    "viewlatest": "View Latest"
  },
  "welcome": {
    "title": "Welcome to your wiki!",
@ -46,4 +47,4 @@
    "source": "Loading source...",
    "editor": "Loading editor..."
  }
-}
+}
--- a/server/views/pages/create.pug
+++ b/server/views/pages/create.pug
@ -16,7 +16,7 @@ block rootNavRight
 block content
  editor(inline-template, current-path=pageData.meta.path, v-cloak)
    .editor-area
-      textarea(ref='editorTextArea')= pageData.markdown
+      textarea(ref='editorTextArea', v-pre)= pageData.markdown

  editor-video
  editor-codeblock
--- a/server/views/pages/edit.pug
+++ b/server/views/pages/edit.pug
@ -16,7 +16,7 @@ block rootNavRight
 block content
  editor(inline-template, current-path=pageData.meta.path, v-cloak)
    .editor-area
-      textarea(ref='editorTextArea')= pageData.markdown
+      textarea(ref='editorTextArea', v-pre)= pageData.markdown

  editor-video
  editor-codeblock
--- a/server/views/pages/view.pug
+++ b/server/views/pages/view.pug
@ -73,12 +73,11 @@ block content
              +tocMenu(pageData.tree)

        .column
-
          .hero
            h1.title#title= pageData.meta.title
            if pageData.meta.subtitle
              h2.subtitle= pageData.meta.subtitle
-          .content.mkcontent
+          .content.mkcontent(v-pre)
            != pageData.html

  modal-create-page(basepath=pageData.meta.path)