Merge pull request #447 from weseek/imprv/446-escape-codes

fix #446 Imprv: iframe tag in block codes works wrongly

lib/util/xss.js

@@ -7,7 +7,7 @@ class Xss {
     let option = {
       stripIgnoreTag: true,
       css: false,
-      escapeHtml: (html) => html,
+      escapeHtml: (html) => html,   // resolve https://github.com/weseek/growi/issues/221
     };
     if (isAllowAllAttrs) {
       // allow all attributes

resource/js/util/GrowiRenderer.js

@@ -1,4 +1,5 @@
 import MarkdownIt from 'markdown-it';
+import xss from 'xss';
 
 import Linker        from './PreProcessor/Linker';
 import CsvToTable    from './PreProcessor/CsvToTable';
@@ -29,6 +30,8 @@ export default class GrowiRenderer {
       { isAutoSetup: true },      // default options
       options || {});             // specified options
 
+    this.xssFilterForCode = new xss.FilterXSS();
+
     // initialize processors
     //  that will be retrieved if originRenderer exists
     this.preProcessors = this.originRenderer.preProcessors || [
@@ -153,11 +156,13 @@ export default class GrowiRenderer {
         }
       }
       else {
-        return `<pre class="hljs ${noborder}">${citeTag}<code>${code}</code></pre>`;
+        const escapedCode = this.xssFilterForCode.process(code);
+        return `<pre class="hljs ${noborder}">${citeTag}<code>${escapedCode}</code></pre>`;
       }
     }
 
-    return `<pre class="hljs ${noborder}"><code>${code}</code></pre>`;
+    const escapedCode = this.xssFilterForCode.process(code);
+    return `<pre class="hljs ${noborder}"><code>${escapedCode}</code></pre>`;
   }
 
 }