diff options
Diffstat (limited to 'web')
| -rw-r--r-- | web/react/package.json | 3 | ||||
| -rw-r--r-- | web/react/utils/markdown.jsx | 47 |
2 files changed, 33 insertions, 17 deletions
diff --git a/web/react/package.json b/web/react/package.json index b63fe35fb..41b2468af 100644 --- a/web/react/package.json +++ b/web/react/package.json @@ -22,13 +22,14 @@ "watchify": "3.6.1", "eslint": "1.9.0", "eslint-plugin-react": "3.9.0", + "exorcist": "0.4.0", "babel-eslint": "4.1.5" }, "scripts": { "check": "", "build-libs": "browserify -r crypto -r autolinker -r flux -r keymirror -r marked -r object-assign -r twemoji | uglifyjs -c -m --screw-ie8 > ../static/js/libs.min.js", "start": "watchify --fast -x crypto -x node -x autolinker -x flux -x keymirror -x marked -x object-assign -x twemoji -o ../static/js/bundle.js -v -d ./**/*.jsx", - "build": "browserify -x crypto -x autolinker -x flux -x keymirror -x marked -x object-assign -x twemoji ./**/*.jsx | uglifyjs -c -m --screw-ie8 > ../static/js/bundle.min.js" + "build": "browserify -x crypto -x autolinker -x flux -x keymirror -x marked -x object-assign -x twemoji -d ./**/*.jsx | exorcist ../static/js/inter.js.map > ../static/js/tmp.js && uglifyjs ../static/js/tmp.js --in-source-map \"../static/js/inter.js.map\" --source-map \"../static/js/bundle.min.js.map\" --source-map-url \"/static/js/bundle.min.js.map\" -c -m --screw-ie8 > ../static/js/bundle.min.js && rm ../static/js/tmp.js && rm ../static/js/inter.js.map" }, "browserify": { "transform": [ diff --git a/web/react/utils/markdown.jsx b/web/react/utils/markdown.jsx index 7957ea31b..b0ec64bfd 100644 --- a/web/react/utils/markdown.jsx +++ b/web/react/utils/markdown.jsx @@ -110,32 +110,47 @@ class MattermostMarkdownRenderer extends marked.Renderer { this.formattingOptions = formattingOptions; } - code(code, language) { - let usedLanguage = language; + code(code, language, escaped) { + let usedLanguage = language || ''; + usedLanguage = usedLanguage.toLowerCase(); - if (String(usedLanguage).toLocaleLowerCase() === 'html') { + // treat html as xml to prevent injection attacks + if (usedLanguage === 'html') { usedLanguage = 'xml'; } - if (usedLanguage && (usedLanguage === 'tex' || usedLanguage === 'latex')) { + if (HighlightedLanguages[usedLanguage]) { + const parsed = highlightJs.highlight(usedLanguage, code); + + return ( + '<div class="post-body--code">' + + '<span class="post-body--code__language">' + + HighlightedLanguages[usedLanguage] + + '</span>' + + '<pre>' + + '<code class="hljs">' + + parsed.value + + '</code>' + + '</pre>' + + '</div>' + ); + } else if (usedLanguage === 'tex' || usedLanguage === 'latex') { try { - var html = katex.renderToString(TextFormatting.sanitizeHtml(code), {throwOnError: false, displayMode: true}); + const html = katex.renderToString(TextFormatting.sanitizeHtml(code), {throwOnError: false, displayMode: true}); + return '<div class="post-body--code tex">' + html + '</div>'; } catch (e) { - return '<div class="post-body--code">' + TextFormatting.sanitizeHtml(code) + '</div>'; + // fall through if latex parsing fails and handle below } } - if (!usedLanguage || highlightJs.listLanguages().indexOf(usedLanguage) < 0) { - let parsed = super.code(code, usedLanguage); - return '<div class="post-body--code"><code class="hljs">' + TextFormatting.sanitizeHtml($(parsed).text()) + '</code></div>'; - } - - let parsed = highlightJs.highlight(usedLanguage, code); - return '<div class="post-body--code">' + - '<span class="post-body--code__language">' + HighlightedLanguages[usedLanguage] + '</span>' + - '<code class="hljs">' + parsed.value + '</code>' + - '</div>'; + return ( + '<pre>' + + '<code class="hljs">' + + (escaped ? code : TextFormatting.sanitizeHtml(code)) + '\n' + + '</code>' + + '</pre>' + ); } br() { |