sanitize `#raw-text-original` content with 'entities'

CHANGES.md

@@ -3,6 +3,7 @@ CHANGES
 
 ## 3.1.4-RC
 
+* Fix: sanitize `#raw-text-original` content with 'entities'
 * Fix: page.rename api doesn't work
 * Support: Upgrade libs
     * markdown-it-toc-and-anchor-with-slugid

lib/util/middlewares.js

@@ -1,5 +1,6 @@
-var debug = require('debug')('growi:lib:middlewares');
-var md5 = require('md5');
+const debug = require('debug')('growi:lib:middlewares');
+const md5 = require('md5');
+const entities = require('entities');
 
 exports.csrfKeyGenerator = function(crowi, app) {
   return function(req, res, next) {
@@ -178,6 +179,10 @@ exports.swigFilters = function(app, swig) {
       }
     });
 
+    swig.setFilter('sanitize', function(string) {
+      return entities.encodeHTML(string);
+    });
+
     next();
   };
 };

lib/views/widget/page_content.html

@@ -15,7 +15,7 @@
   <div class="tab-content">
 
     {% if page %}
-      <script type="text/template" id="raw-text-original">{{ revision.body }}</script>
+      <script type="text/template" id="raw-text-original">{{ revision.body.toString() | sanitize }}</script>
 
       {# formatted text #}
       <div class="tab-pane {% if not req.body.pageForm %}active{% endif %}" id="revision-body">

lib/views/widget/page_list_and_timeline.html

@@ -33,7 +33,7 @@
             <div class="revision-body wiki"></div>
           </div>
         </div>
-        <script type="text/template">{{ page.revision.body }}</script>
+        <script type="text/template">{{ page.revision.body.toString() | sanitize }}</script>
       </div>
       <hr>
       {% endfor %}