7 лет назад · 659f339faf
--- a/lib/crowi/express-init.js
+++ b/lib/crowi/express-init.js
@@ -127,7 +127,7 @@ module.exports = function(crowi, app) {
 
				 
			
 
				   app.use(flash());
			
 
				 
			
 
				-  app.use(middleware.swigFilters(app, swig));
			
 
				+  app.use(middleware.swigFilters(crowi, app, swig));
			
 
				   app.use(middleware.swigFunctions(crowi, app));
			
 
				 
			
 
				   app.use(middleware.csrfKeyGenerator(crowi, app));
			
--- a/lib/util/middlewares.js
+++ b/lib/util/middlewares.js
@@ -77,7 +77,7 @@ exports.swigFunctions = function(crowi, app) {
 
				   };
			
 
				 };
			
 
				 
			
 
				-exports.swigFilters = function(app, swig) {
			
 
				+exports.swigFilters = function(crowi, app, swig) {
			
 
				 
			
 
				   // define a function for Gravatar
			
 
				   const generateGravatarSrc = function(user) {
			
@@ -139,7 +139,7 @@ exports.swigFilters = function(app, swig) {
 
				 
			
 
				     swig.setFilter('datetz', function(input, format) {
			
 
				       // timezone
			
 
				-      var swigFilters = require('swig-templates/lib/filters');
			
 
				+      const swigFilters = require('swig-templates/lib/filters');
			
 
				       return swigFilters.date(input, format, app.get('tzoffset'));
			
 
				     });
			
 
				 
			
@@ -179,10 +179,14 @@ exports.swigFilters = function(app, swig) {
 
				       }
			
 
				     });
			
 
				 
			
 
				-    swig.setFilter('sanitize', function(string) {
			
 
				+    swig.setFilter('encodeHTML', function(string) {
			
 
				       return entities.encodeHTML(string);
			
 
				     });
			
 
				 
			
 
				+    swig.setFilter('preventXss', function(string) {
			
 
				+      return crowi.xss.process(string);
			
 
				+    });
			
 
				+
			
 
				     next();
			
 
				   };
			
 
				 };
			
--- a/lib/views/admin/user-group-detail.html
+++ b/lib/views/admin/user-group-detail.html
@@ -1,11 +1,11 @@
 
				 {% extends '../layout/admin.html' %}
			
 
				 
			
 
				-{% block html_title %}{{ customTitle(t('UserGroup management') + '/' + userGroup.name) | sanitize }}{% endblock %}
			
 
				+{% block html_title %}{{ customTitle(t('UserGroup management') + '/' + userGroup.name) | preventXss }}{% endblock %}
			
 
				 
			
 
				 {% block content_header %}
			
 
				 <div class="header-wrap">
			
 
				   <header id="page-header">
			
 
				-    <h1 class="title" id="">{{ t('UserGroup management') + '/' + userGroup.name | sanitize }}</h1>
			
 
				+    <h1 class="title" id="">{{ t('UserGroup management') + '/' + userGroup.name | preventXss }}</h1>
			
 
				   </header>
			
 
				 </div>
			
 
				 {% endblock %}
			
--- a/lib/views/admin/user-groups.html
+++ b/lib/views/admin/user-groups.html
@@ -124,7 +124,7 @@
 
				             <td>
			
 
				               <img src="{{ sGroup|picture }}" class="picture img-circle" />
			
 
				             </td>
			
 
				-            <td><a href="{{ sGroupDetailPageUrl }}">{{ sGroup.name | sanitize }}</a></td>
			
 
				+            <td><a href="{{ sGroupDetailPageUrl }}">{{ sGroup.name | preventXss }}</a></td>
			
 
				             <td><ul class="list-inline">
			
 
				               {% for relation in userGroupRelations.get(sGroup) %}
			
 
				               <li class="list-inline-item badge badge-primary">{{relation.relatedUser.username}}</li>
			
@@ -146,7 +146,7 @@
 
				                   <li>
			
 
				                     <a href="#"
			
 
				                         data-user-group-id="{{ sGroup._id.toString() }}"
			
 
				-                        data-user-group-name="{{ sGroup.name.toString() | sanitize }}"
			
 
				+                        data-user-group-name="{{ sGroup.name.toString() | encodeHTML }}"
			
 
				                         data-target="#admin-delete-user-group-modal"
			
 
				                         data-toggle="modal">
			
 
				                       <i class="icon-fw icon-fire text-danger"></i> 削除する
			
--- a/lib/views/widget/page_alerts.html
+++ b/lib/views/widget/page_alerts.html
@@ -7,7 +7,7 @@
 
				       {% elseif page.grant == 4 %}
			
 
				         <i class="icon-fw icon-lock"></i><strong>{{ consts.pageGrants[page.grant] }}</strong> ({{ t('Browsing of this page is restricted') }})
			
 
				       {% elseif page.grant == 5 %}
			
 
				-        <i class="icon-fw icon-organization"></i><strong>'{{ pageRelatedGroup.name | sanitize }}' only</strong> ({{ t('Browsing of this page is restricted') }})
			
 
				+        <i class="icon-fw icon-organization"></i><strong>'{{ pageRelatedGroup.name | preventXss }}' only</strong> ({{ t('Browsing of this page is restricted') }})
			
 
				       {% endif %}
			
 
				       </p>
			
 
				     {% endif %}
			
--- a/lib/views/widget/page_content.html
+++ b/lib/views/widget/page_content.html
@@ -15,7 +15,7 @@
 
				   <div class="tab-content">
			
 
				 
			
 
				     {% if page %}
			
 
				-      <script type="text/template" id="raw-text-original">{{ revision.body.toString() | sanitize }}</script>
			
 
				+      <script type="text/template" id="raw-text-original">{{ revision.body.toString() | encodeHTML }}</script>
			
 
				 
			
 
				       {# formatted text #}
			
 
				       <div class="tab-pane {% if not req.body.pageForm %}active{% endif %}" id="revision-body">
			
--- a/lib/views/widget/page_list_and_timeline.html
+++ b/lib/views/widget/page_list_and_timeline.html
@@ -33,7 +33,7 @@
 
				             <div class="revision-body wiki"></div>
			
 
				           </div>
			
 
				         </div>
			
 
				-        <script type="text/template">{{ page.revision.body.toString() | sanitize }}</script>
			
 
				+        <script type="text/template">{{ page.revision.body.toString() | encodeHTML }}</script>
			
 
				       </div>
			
 
				       <hr>
			
 
				       {% endfor %}