Skip to content

Commit

Permalink
[security] a better override of SimpleMDE markdown rendering
Browse files Browse the repository at this point in the history 
to prevent XSS vulnerabilities in SimpleMDE
  • Loading branch information
@atodorov
atodorov committed Jan 20, 2019
1 parent 85e1bb9 commit 571d6f2
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 5 deletions.
1 change: 1 addition & 0 deletions tcms/core/widgets.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,5 @@ class Media:
'all': ['simplemde/dist/simplemde.min.css']
}
js = ['simplemde/dist/simplemde.min.js',
'marked/marked.min.js',
'js/simplemde_security_override.js']
22 changes: 17 additions & 5 deletions tcms/static/js/simplemde_security_override.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,22 @@
https://snyk.io/vuln/SNYK-JS-SIMPLEMDE-72570
*/

SimpleMDE.prototype._upstream_markdown = SimpleMDE.prototype.markdown;

SimpleMDE.prototype.markdown = function(text) {
var marked = SimpleMDE.prototype._upstream_markdown();
marked.setOptions({ sanitize: true });
return marked;
var markedOptions = { sanitize: true };

if(this.options && this.options.renderingConfig && this.options.renderingConfig.singleLineBreaks === false) {
markedOptions.breaks = false;
} else {
markedOptions.breaks = true;
}

if(this.options && this.options.renderingConfig && this.options.renderingConfig.codeSyntaxHighlighting === true && window.hljs) {
markedOptions.highlight = function(code) {
return window.hljs.highlightAuto(code).value;
};
}

marked.setOptions(markedOptions);

return marked(text);
}

0 comments on commit 571d6f2

Please sign in to comment.