From 9b5d3f3f73b97b45d9278fd0cd7bff1e467cb6b7 Mon Sep 17 00:00:00 2001 From: DeaDvey Date: Wed, 27 Aug 2025 15:09:57 +0100 Subject: [PATCH] Fixed issue relating to showdownjs not escaping html tags by porting to markdown-it, also introduced a new function: func.render_md --- package.json | 2 +- src/functions.js | 6 ++++++ src/server.js | 30 +++++------------------------- views/headers/user.ejs | 2 +- views/posts/post.ejs | 2 +- views/posts/tag.ejs | 2 +- views/posts/timeline.ejs | 2 +- views/posts/user.ejs | 2 +- 8 files changed, 17 insertions(+), 31 deletions(-) diff --git a/package.json b/package.json index 95052f9..1bec8f3 100755 --- a/package.json +++ b/package.json @@ -3,6 +3,6 @@ "date-fns": "^4.1.0", "ejs": "^3.1.10", "express": "^5.1.0", - "showdown": "^2.1.0" + "markdown-it": "^14.1.0" } } diff --git a/src/functions.js b/src/functions.js index 8923102..3b954d7 100644 --- a/src/functions.js +++ b/src/functions.js @@ -86,6 +86,7 @@ export function escape_input(input) { .replaceAll("'", "'") .replaceAll("/", "/") .replaceAll("%", "%") + .replaceAll("&", "&") return output } @@ -98,3 +99,8 @@ export function render_comment(comment_content) { .replaceAll(/>>([0-9]*)/g, ">>$1") .replaceAll("\n", "
") }; +export function render_md(content) { + const markdownit = require("markdown-it") + const md = markdownit() + return md.render(content) +}; diff --git a/src/server.js b/src/server.js index 1dcf068..234ead4 100644 --- a/src/server.js +++ b/src/server.js @@ -1,7 +1,6 @@ // Get the libraries const fs = require('fs'); // For modifying and reading files const express = require('express'); // For running a webserver in nodejs -const showdown = require('showdown') // For converting markdown to html on demand, https://showdownjs.com/ const crypto = require('crypto'); // For encrypting passwords, I use sha512 // fromUnixTime(): Create a date from a Unix timestamp (in seconds). Decimal values will be discarded. // format(): Return the formatted date string in the given format. The result may vary by locale. @@ -49,16 +48,6 @@ catch (error) { console.log("Locale selected: ", config.locale) } -// https://showdownjs.com/docs/available-options -let converter = new showdown.Converter({ - simpleLineBreaks: true, // Parse line breaks as
in paragraphs (GitHub-style behavior). - tables: true, // Enable support for tables syntax. - strikethrough: true, // Enable support for strikethrough: ~~text~~ - tasklists: true, // Enable support for GitHub style tasklists. - [x] and - [ ] - encodeEmails: true, //Enable automatic obfuscation of email addresses. emails are encoded via character entities - headerLevelStart: 3, //Set starting level for the heading tags. -}) - // Define stuff to do with express (nodejs webserver) const app = express(); app.use(express.urlencoded({ extended: true })); @@ -82,7 +71,6 @@ app.get("/rss", (req,res) => { res.render("syndication/global_rss", { config, posts, - converter, func, }) }; @@ -102,7 +90,6 @@ app.get("/user/:username/rss", (req,res) => { res.render("syndication/user_rss", { config, posts, - converter, func, userID, }) @@ -121,7 +108,6 @@ app.get("/atom", (req,res) => { res.render("syndication/global_atom", { config, posts, - converter, func, getUnixTime, }) @@ -142,7 +128,6 @@ app.get("/user/:username/atom", (req,res) => { res.render("syndication/user_atom", { config, posts, - converter, func, userID, getUnixTime, @@ -201,7 +186,6 @@ app.get("/", (req,res) => { format, getUnixTime, func, - converter, }) }); // / app.get("/user/:username", (req, res) => { @@ -220,7 +204,6 @@ app.get("/user/:username", (req, res) => { format: format, getUnixTime: getUnixTime, func, - converter, }) }); // /user/:username app.get("/post/:post_index", (req, res) => { @@ -244,7 +227,6 @@ app.get("/post/:post_index", (req, res) => { format, getUnixTime, func, - converter, }) } else { @@ -266,7 +248,6 @@ app.get("/tag/:tag", (req,res) => { format: format, getUnixTime: getUnixTime, func, - converter, }) }); // /tag/:tag app.get("/comment/:commentID", (req,res) => { @@ -290,7 +271,6 @@ app.get("/comment/:commentID", (req,res) => { format: format, getUnixTime: getUnixTime, func, - converter, }) } }); @@ -371,7 +351,7 @@ app.post("/submit_post", (req,res) => { const password = crypto.createHash('sha512').update(req.body.password).digest('hex'); const username = func.escape_input(req.body.username) const title = func.escape_input(req.body.title) - const content = func.escape_input(req.body.content) + const content = req.body.content const tags = func.escape_input(req.body.tags).split(','); const unix_timestamp = getUnixTime(new Date()) @@ -409,7 +389,7 @@ app.post("/submit_signup", (req,res) => { const password = crypto.createHash('sha512').update(req.body.password).digest('hex'); const username = func.escape_input(req.body.username) const prettyname = func.escape_input(req.body.prettyname) - const description = func.escape_input(req.body.description) + const description = req.body.description // Check that signups are allowed if (config.allow_signup == true) { @@ -450,7 +430,7 @@ app.post("/submit_edit_user", (req,res) => { // Get the form info const password = crypto.createHash("sha512").update(req.body.password).digest("hex"); const userID = func.escape_input(req.body.userID) - const description = func.escape_input(req.body.description) + const description = req.body.description const prettyname = func.escape_input(req.body.prettyname) const delete_bool = req.body.delete @@ -496,9 +476,9 @@ app.post("/submit_edit_post", (req,res) => { const password = crypto.createHash('sha512').update(req.body.password).digest('hex'); const postID = req.body.postID const userID = req.body.userID - const title = req.body.title + const title = func.escape_input(req.body.title) const content = req.body.content - const tags = req.body.tags.split(','); + const tags = func.escape_input(req.body.tags).split(",") const delete_bool = req.body.delete const unix_timestamp = getUnixTime(new Date()) console.log(users[userID]['prettyname'], "is editting the post titled:", title); diff --git a/views/headers/user.ejs b/views/headers/user.ejs index 4f67f8e..e27f9b0 100644 --- a/views/headers/user.ejs +++ b/views/headers/user.ejs @@ -1,7 +1,7 @@

<%= user.prettyname %>

-

<%- converter.makeHtml(user.description) %>

+

<%- func.render_md(user.description) %>

<%= locale.edit_account %>
<%= locale.rss_feed %>
<%= locale.atom_feed %> diff --git a/views/posts/post.ejs b/views/posts/post.ejs index 1fe0f8f..ec2aeb6 100644 --- a/views/posts/post.ejs +++ b/views/posts/post.ejs @@ -1,7 +1,7 @@

<%= post.title %>

-<%- converter.makeHtml(post.content) %>
+<%- func.render_md(post.content) %>
<%= locale.written_by %> <%= user.username %>
 diff --git a/views/posts/tag.ejs b/views/posts/tag.ejs index 4335051..309e94c 100644 --- a/views/posts/tag.ejs +++ b/views/posts/tag.ejs @@ -1,7 +1,7 @@

<%= post.title %>

-<%- converter.makeHtml(post.content) %>
+<%- func.render_md(post.content) %>
<%= locale.permalink %>
<%- func.hyperlink_tags(post.tags) %>
diff --git a/views/posts/timeline.ejs b/views/posts/timeline.ejs index e8492de..b22ec59 100644 --- a/views/posts/timeline.ejs +++ b/views/posts/timeline.ejs @@ -1,7 +1,7 @@

<%= post.title %>

-<%- converter.makeHtml(post.content) %>
+<%- func.render_md(post.content) %>
<%= locale.permalink %>
<%= locale.written_by %> <%= user.username %>
diff --git a/views/posts/user.ejs b/views/posts/user.ejs index d3d9e50..d33ed3a 100644 --- a/views/posts/user.ejs +++ b/views/posts/user.ejs @@ -1,7 +1,7 @@

<%= post.title %>

-<%- converter.makeHtml(post.content) %>
+<%- func.render_md(post.content) %>
<%= locale.permalink %>