From 4632330d7c8a9fa1bfb231c222e393658b95d707 Mon Sep 17 00:00:00 2001 From: NGPixel Date: Thu, 1 Jun 2017 20:15:02 -0400 Subject: [PATCH] fix: HTML + mustache interpolations not escaped properly --- server/libs/markdown.js | 4 ++-- server/locales/en/common.json | 29 +++++++++++++++-------------- server/views/pages/create.pug | 2 +- server/views/pages/edit.pug | 2 +- server/views/pages/view.pug | 3 +-- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/server/libs/markdown.js b/server/libs/markdown.js index 178fb4d2..2fd6138b 100644 --- a/server/libs/markdown.js +++ b/server/libs/markdown.js @@ -25,10 +25,10 @@ var mkdown = md({ try { return '
' + hljs.highlight(lang, str, true).value + '
' } catch (err) { - return '
' + str + '
' + return '
' + _.escape(str) + '
' } } - return '
' + str + '
' + return '
' + _.escape(str) + '
' } }) .use(mdEmoji) diff --git a/server/locales/en/common.json b/server/locales/en/common.json index 1b6a44fd..9cd4441d 100644 --- a/server/locales/en/common.json +++ b/server/locales/en/common.json @@ -17,25 +17,26 @@ }, "nav": { "account": "Account", - "settings": "Settings", - "myprofile": "My Profile", - "stats": "Stats", - "syssettings": "System Settings", - "theme": "Color Theme", - "users": "Users", - "logout": "Logout", + "allpages": "All Pages", "create": "Create", + "discard": "Discard", "edit": "Edit", "history": "History", - "source": "Source", - "move": "Move", - "allpages": "All Pages", + "home": "Home", "login": "Login", + "logout": "Logout", + "move": "Move", + "myprofile": "My Profile", "normalview": "Normal View", - "viewlatest": "View Latest", - "discard": "Discard", "savechanges": "Save Changes", - "savedocument": "Save Document" + "savedocument": "Save Document", + "settings": "Settings", + "source": "Source", + "stats": "Stats", + "syssettings": "System Settings", + "theme": "Color Theme", + "users": "Users", + "viewlatest": "View Latest" }, "welcome": { "title": "Welcome to your wiki!", @@ -46,4 +47,4 @@ "source": "Loading source...", "editor": "Loading editor..." } -} \ No newline at end of file +} diff --git a/server/views/pages/create.pug b/server/views/pages/create.pug index 35fe41ca..7dddd2dd 100644 --- a/server/views/pages/create.pug +++ b/server/views/pages/create.pug @@ -16,7 +16,7 @@ block rootNavRight block content editor(inline-template, current-path=pageData.meta.path, v-cloak) .editor-area - textarea(ref='editorTextArea')= pageData.markdown + textarea(ref='editorTextArea', v-pre)= pageData.markdown editor-video editor-codeblock diff --git a/server/views/pages/edit.pug b/server/views/pages/edit.pug index 63a12139..4d851c23 100644 --- a/server/views/pages/edit.pug +++ b/server/views/pages/edit.pug @@ -16,7 +16,7 @@ block rootNavRight block content editor(inline-template, current-path=pageData.meta.path, v-cloak) .editor-area - textarea(ref='editorTextArea')= pageData.markdown + textarea(ref='editorTextArea', v-pre)= pageData.markdown editor-video editor-codeblock diff --git a/server/views/pages/view.pug b/server/views/pages/view.pug index 6098557d..56bfb9c4 100644 --- a/server/views/pages/view.pug +++ b/server/views/pages/view.pug @@ -73,12 +73,11 @@ block content +tocMenu(pageData.tree) .column - .hero h1.title#title= pageData.meta.title if pageData.meta.subtitle h2.subtitle= pageData.meta.subtitle - .content.mkcontent + .content.mkcontent(v-pre) != pageData.html modal-create-page(basepath=pageData.meta.path)