Skip to content

Commit

Permalink
Work-around for *marked* issue on single tags and dep update (OpenUse…
Browse files Browse the repository at this point in the history
…rJS#2014)

* walkTokens in *marked* is not any better because `<kbd>` + `string` + `</kbd>` still happen individually... more maintenance needed.
* tokenizer in *marked* could work as long as the default handler wouldn't split the input but untested at the moment and I suspect it would split. Also even more to maintain.
* Only applying this workaround to `html` type input with single tags only for now. Nested is unsupported.
* Not closing atm because this is extremely hacky and it may not cover all instances since user-content can be anything.
* Next *marked* will be breaking in multiple places and requires yet another dependency to continue to work with highlighting at minimum.
* Alternative sanitizers, that may or may not auto close tags are either built on current, or have DOM only prerequisites/hacky Server implementation.
* Missing semicolon.

NOTE(s):
* `blockquote` renderer appears to never be called but haven't typed everything there is possible into user-content. ;)
* `innerHTML` *possibly* auto-closes just like GM_setStyle lib does with CSS in the DOM i.e. validation before execution... a form of sanitizing... currently untested but assumed for future ease-of maintainability.

Applies to OpenUserJS#1775

Auto-merge
  • Loading branch information
Martii authored Nov 9, 2023
1 parent add7519 commit b8c9f1e
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 2 deletions.
29 changes: 28 additions & 1 deletion libs/markdown.js
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,22 @@ function sanitize(aHtml) {
// Sanitize the output from the block level renderers
blockRenderers.forEach(function (aType) {
renderer[aType] = function () {
var matches = null;
var openTagName = null;
var closeTagName = null;

// Begin workaround for #1775
if (aType === 'html') {
matches = arguments[0].match(/^<([a-z]+)(?![^>]*\/>)[^>]*>$/);
if (matches) {
openTagName = matches[1];
}
matches = arguments[0].match(/^<\/([a-z]+)>$/);
if (matches) {
closeTagName = matches[1];
}
}

// Sanitize first to close any tags
var sanitized = sanitize(marked.Renderer.prototype[aType].apply(renderer, arguments));

Expand Down Expand Up @@ -198,7 +214,18 @@ blockRenderers.forEach(function (aType) {
}
}

sanitized = hookNode.innerHTML
sanitized = hookNode.innerHTML;
}

// End workaround for #1775
if (aType === 'html') {
if (openTagName) {
sanitized = sanitized.replace(/<\/[a-z]+>/, '');
}

if (closeTagName) {
sanitized = '</' + closeTagName + '>';
}
}

return sanitized;
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
"js-beautify": "1.14.9",
"jsdom": "22.1.0",
"less-middleware": "3.1.0",
"marked": "4.3.0",
"marked": "7.0.5",
"media-type": "0.3.1",
"method-override": "3.0.0",
"mime-db": "1.52.0",
Expand Down

0 comments on commit b8c9f1e

Please sign in to comment.