Fixed issue relating to showdownjs not escaping html tags by porting to

markdown-it, also introduced a new function: func.render_md

package.json

@@ -3,6 +3,6 @@
     "date-fns": "^4.1.0",
     "ejs": "^3.1.10",
     "express": "^5.1.0",
-    "showdown": "^2.1.0"
+    "markdown-it": "^14.1.0"
   }
 }

src/functions.js

@@ -86,6 +86,7 @@ export function escape_input(input) {
         .replaceAll("'", "'")
         .replaceAll("/", "/")
         .replaceAll("%", "%")
+        .replaceAll("&", "&")
     return output
 }
 
@@ -98,3 +99,8 @@ export function render_comment(comment_content) {
             .replaceAll(/&gt;&gt;([0-9]*)/g, "<a href='/comment/$1'>>>$1</a>")
             .replaceAll("\n", "<br/>")
 };
+export function render_md(content) {
+    const markdownit = require("markdown-it")
+    const md = markdownit()
+    return md.render(content)
+};

src/server.js

@@ -1,7 +1,6 @@
 // Get the libraries
 const fs = require('fs'); // For modifying and reading files
 const express = require('express'); // For running a webserver in nodejs
-const showdown  = require('showdown') // For converting markdown to html on demand, https://showdownjs.com/
 const crypto = require('crypto'); // For encrypting passwords, I use sha512
 // fromUnixTime(): Create a date from a Unix timestamp (in seconds). Decimal values will be discarded.
 // format(): Return the formatted date string in the given format. The result may vary by locale.
@@ -49,16 +48,6 @@ catch (error) {
     console.log("Locale selected: ", config.locale)
 }
 
-// https://showdownjs.com/docs/available-options
-let converter = new showdown.Converter({
-    simpleLineBreaks: true, // Parse line breaks as <br/> in paragraphs (GitHub-style behavior).
-    tables: true, // Enable support for tables syntax.
-    strikethrough: true, // Enable support for strikethrough: ~~text~~
-    tasklists: true, // Enable support for GitHub style tasklists. - [x] and - [ ]
-    encodeEmails: true, //Enable automatic obfuscation of email addresses. emails are encoded via character entities
-    headerLevelStart: 3, //Set starting level for the heading tags.
-})
-
 // Define stuff to do with express (nodejs webserver)
 const app = express();
 app.use(express.urlencoded({ extended: true }));
@@ -82,7 +71,6 @@ app.get("/rss", (req,res) => {
 		res.render("syndication/global_rss", {
             config,
             posts,
-            converter,
             func,
         })
 	};
@@ -102,7 +90,6 @@ app.get("/user/:username/rss", (req,res) => {
 		res.render("syndication/user_rss", {
             config,
             posts,
-            converter,
             func,
             userID,
         })
@@ -121,7 +108,6 @@ app.get("/atom", (req,res) => {
 		res.render("syndication/global_atom", {
             config,
             posts,
-            converter,
             func,
             getUnixTime,
         })
@@ -142,7 +128,6 @@ app.get("/user/:username/atom", (req,res) => {
 		res.render("syndication/user_atom", {
             config,
             posts,
-            converter,
             func,
             userID,
             getUnixTime,
@@ -201,7 +186,6 @@ app.get("/", (req,res) => {
             format,
             getUnixTime,
             func,
-            converter,
         })
 }); // /
 app.get("/user/:username", (req, res) => {
@@ -220,7 +204,6 @@ app.get("/user/:username", (req, res) => {
             format: format,
             getUnixTime: getUnixTime,
             func,
-            converter,
         })
 }); // /user/:username
 app.get("/post/:post_index", (req, res) => {
@@ -244,7 +227,6 @@ app.get("/post/:post_index", (req, res) => {
                 format,
                 getUnixTime,
                 func,
-                converter,
             })
     }
     else {
@@ -266,7 +248,6 @@ app.get("/tag/:tag", (req,res) => {
             format: format,
             getUnixTime: getUnixTime,
             func,
-            converter,
         })
 }); // /tag/:tag
 app.get("/comment/:commentID", (req,res) => {
@@ -290,7 +271,6 @@ app.get("/comment/:commentID", (req,res) => {
                 format: format,
                 getUnixTime: getUnixTime,
                 func,
-                converter,
             })
     }
 });
@@ -371,7 +351,7 @@ app.post("/submit_post", (req,res) => {
 	const password = crypto.createHash('sha512').update(req.body.password).digest('hex');
 	const username = func.escape_input(req.body.username)
 	const title = func.escape_input(req.body.title)
-	const content = func.escape_input(req.body.content)
+	const content = req.body.content
 	const tags = func.escape_input(req.body.tags).split(',');
 	const unix_timestamp = getUnixTime(new Date())
 
@@ -409,7 +389,7 @@ app.post("/submit_signup", (req,res) => {
     const password =  crypto.createHash('sha512').update(req.body.password).digest('hex');
     const username = func.escape_input(req.body.username)
     const prettyname = func.escape_input(req.body.prettyname)
-    const description = func.escape_input(req.body.description)
+    const description = req.body.description
 
     // Check that signups are allowed
     if (config.allow_signup == true) {
@@ -450,7 +430,7 @@ app.post("/submit_edit_user", (req,res) => {
     // Get the form info
     const password = crypto.createHash("sha512").update(req.body.password).digest("hex");
     const userID = func.escape_input(req.body.userID)
-    const description = func.escape_input(req.body.description)
+    const description = req.body.description
     const prettyname = func.escape_input(req.body.prettyname)
     const delete_bool = req.body.delete
 
@@ -496,9 +476,9 @@ app.post("/submit_edit_post", (req,res) => {
     const password = crypto.createHash('sha512').update(req.body.password).digest('hex');
     const postID = req.body.postID
     const userID = req.body.userID
-    const title = req.body.title
+    const title = func.escape_input(req.body.title)
     const content = req.body.content
-    const tags = req.body.tags.split(',');
+    const tags = func.escape_input(req.body.tags).split(",")
     const delete_bool = req.body.delete
     const unix_timestamp = getUnixTime(new Date())
     console.log(users[userID]['prettyname'], "is editting the post titled:", title);

views/headers/user.ejs

@@ -1,7 +1,7 @@
 <h1>
     <%= user.prettyname %>
 </h1>
-<p><%- converter.makeHtml(user.description) %></p>
+<p><%- func.render_md(user.description) %></p>
 <a href="<%= config.edit_account_base_url %>/<%= userID %>"><%= locale.edit_account %></a><br/>
 <a href="/user/<%= user.username %>/rss"><%= locale.rss_feed %></a><br/>
 <a href="/user/<%= user.username %>/atom"><%= locale.atom_feed %></a>

views/posts/post.ejs

@@ -1,7 +1,7 @@
 <h1>
     <%= post.title %>
 </h1>
-<%- converter.makeHtml(post.content) %><br/>
+<%- func.render_md(post.content) %><br/>
 <i>
     <%= locale.written_by %> <a href="/user/<%= user.username %>"><%= user.username %></a><br/>
 </i>

views/posts/tag.ejs

@@ -1,7 +1,7 @@
 <h3>
     <%= post.title %>
 </h3>
-<%- converter.makeHtml(post.content) %><br/>
+<%- func.render_md(post.content) %><br/>
 <a href="/post/<%- postID %>"><%= locale.permalink %></a><br/>
 <%- func.hyperlink_tags(post.tags) %>
 <br/>

views/posts/timeline.ejs

@@ -1,7 +1,7 @@
 <h3>
     <%= post.title %>
 </h3>
-<%- converter.makeHtml(post.content) %><br/>
+<%- func.render_md(post.content) %><br/>
 <a href="/post/<%- index %>"><%= locale.permalink %></a><br/>
 <i>
     <%= locale.written_by %> <a href="/user/<%= user.username %>"><%= user.username %></a><br/>

views/posts/user.ejs

@@ -1,7 +1,7 @@
 <h3>
     <%= post.title %>
 </h3>
-<%- converter.makeHtml(post.content) %><br/>
+<%- func.render_md(post.content) %><br/>
 <a href="/post/<%- index %>"><%= locale.permalink %></a><br/>
 <br/>