Alternative way to sanitize isoData (#1129)

* Alternative way to sanitize isoData

* use split/join instead of replaceAll

* Use sanitize, then restore > chars for markdown render
This commit is contained in:
Nutomic 2023-06-09 14:17:02 +02:00 committed by GitHub
parent 50a8f40187
commit 4867e455f8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 6 deletions

View file

@ -9,6 +9,7 @@ import IsomorphicCookie from "isomorphic-cookie";
import { GetSite, GetSiteResponse, LemmyHttp, Site } from "lemmy-js-client"; import { GetSite, GetSiteResponse, LemmyHttp, Site } from "lemmy-js-client";
import path from "path"; import path from "path";
import process from "process"; import process from "process";
import sanitize from "sanitize-html";
import serialize from "serialize-javascript"; import serialize from "serialize-javascript";
import sharp from "sharp"; import sharp from "sharp";
import { App } from "../shared/components/app/app"; import { App } from "../shared/components/app/app";
@ -25,7 +26,6 @@ import {
favIconUrl, favIconUrl,
initializeSite, initializeSite,
isAuthPath, isAuthPath,
md,
} from "../shared/utils"; } from "../shared/utils";
const server = express(); const server = express();
@ -348,9 +348,7 @@ async function createSsrHtml(root: string, isoData: IsoDataOptionalSite) {
<!DOCTYPE html> <!DOCTYPE html>
<html ${helmet.htmlAttributes.toString()} lang="en"> <html ${helmet.htmlAttributes.toString()} lang="en">
<head> <head>
<script>window.isoData = ${md.utils.escapeHtml( <script>window.isoData = ${sanitize(JSON.stringify(isoData))}</script>
JSON.stringify(isoData)
)}</script>
<script>window.lemmyConfig = ${serialize(config)}</script> <script>window.lemmyConfig = ${serialize(config)}</script>
<!-- A remote debugging utility for mobile --> <!-- A remote debugging utility for mobile -->

View file

@ -206,11 +206,13 @@ export function hotRank(score: number, timeStr: string): number {
} }
export function mdToHtml(text: string) { export function mdToHtml(text: string) {
return { __html: md.render(text) }; // restore '>' character to fix quotes
return { __html: md.render(text).split("&gt;").join(">") };
} }
export function mdToHtmlNoImages(text: string) { export function mdToHtmlNoImages(text: string) {
return { __html: mdNoImages.render(text) }; // restore '>' character to fix quotes
return { __html: mdNoImages.render(text).split("&gt;").join(">") };
} }
export function mdToHtmlInline(text: string) { export function mdToHtmlInline(text: string) {