From a21dfdf8e7e51447fa67f4ea96b70e2e1dbaeb0f Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 15 Dec 2016 17:07:07 +0100 Subject: [PATCH] Don't render non HTTP links, images and quotes Signed-off-by: Joas Schilling --- settings/js/apps.js | 48 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/settings/js/apps.js b/settings/js/apps.js index 15d3547b70..a527b354e6 100644 --- a/settings/js/apps.js +++ b/settings/js/apps.js @@ -19,6 +19,8 @@ Handlebars.registerHelper('level', function() { OC.Settings = OC.Settings || {}; OC.Settings.Apps = OC.Settings.Apps || { + markedOptions: {}, + setupGroupsSelect: function($elements) { OC.Settings.setupGroupsSelect($elements, { placeholder: t('core', 'All') @@ -187,7 +189,7 @@ OC.Settings.Apps = OC.Settings.Apps || { } // Parse markdown in app description - app.description = marked(app.description.trim()); + app.description = marked(app.description.trim(), OC.Settings.Apps.markedOptions); var html = template(app); if (selector) { @@ -636,6 +638,50 @@ OC.Settings.Apps = OC.Settings.Apps || { * Initializes the apps list */ initialize: function($el) { + + var renderer = new marked.Renderer(); + renderer.link = function(href, title, text) { + try { + var prot = decodeURIComponent(unescape(href)) + .replace(/[^\w:]/g, '') + .toLowerCase(); + } catch (e) { + return ''; + } + + if (prot.indexOf('http:') !== 0 && prot.indexOf('https:') !== 0) { + return ''; + } + + var out = ''; + return out; + }; + renderer.image = function(href, title, text) { + if (text) { + return text; + } + return title; + }; + renderer.blockquote = function(quote) { + return quote; + }; + + OC.Settings.Apps.markedOptions = { + renderer: renderer, + gfm: false, + highlight: false, + tables: false, + breaks: false, + pedantic: false, + sanitize: true, + smartLists: true, + smartypants: false + }; + OC.Plugins.register('OCA.Search', OC.Settings.Apps.Search); OC.Settings.Apps.loadCategories(); OC.Util.History.addOnPopStateHandler(_.bind(this._onPopState, this));