Add html-escape before markdown parsing

d4abb965 · Sandro Lutz · f9b164a8 · d4abb965 · d4abb965 · d4abb965
Commit d4abb965 authored Jun 20, 2018 by Sandro Lutz
--- a/package.json
+++ b/package.json
@@ -24,6 +24,7 @@
    "babel-polyfill": "^6.26.0",
    "email-validator": "^2.0.3",
    "i18n4v": "^0.2.2",
+    "html-escape": "^2.0.0",
    "marked": "^0.3.18",
    "mithril": "^1.1.5",
    "polythene-css": "^1.0.0",

--- a/src/views/amiv/board.js
+++ b/src/views/amiv/board.js
 import m from 'mithril';
 import marked from 'marked';
+import escape from 'html-escape';
 import { data, image as boardImage } from './data/board';
 import { i18n, currentLanguage } from '../../models/language';
 import { TranslationUnavailable } from '../errors';
@@ -7,7 +8,7 @@ import { TranslationUnavailable } from '../errors';
 class ImageGroup {
  static _parseMarkdownText(text) {
    // replace leading spaces when using multi-line strings
-    return marked(text.trim().replace(/\n[^\S\n]+/g, '\n'));
+    return marked(escape(text.trim().replace(/\n[^\S\n]+/g, '\n')));
  }
  static view(vnode) {

--- a/src/views/amiv/commissions.js
+++ b/src/views/amiv/commissions.js
 import m from 'mithril';
 import marked from 'marked';
+import escape from 'html-escape';
 import { data } from './data/commissions';
 import { i18n, currentLanguage } from '../../models/language';
 import { TranslationUnavailable } from '../errors';
@@ -7,7 +8,7 @@ import { TranslationUnavailable } from '../errors';
 class Commission {
  static _parseMarkdownText(text) {
    // replace leading spaces when using multi-line strings
-    return marked(text.trim().replace(/\n[^\S\n]+/g, '\n'));
+    return marked(escape(text.trim().replace(/\n[^\S\n]+/g, '\n')));
  }
  static view(vnode) {

--- a/src/views/companies/companyList.js
+++ b/src/views/companies/companyList.js
 import m from 'mithril';
 import marked from 'marked';
+import escape from 'html-escape';
 import { data } from './data/companies';
 import { i18n, currentLanguage } from '../../models/language';
 class CompanyItem {
  static _parseMarkdownText(text) {
    // replace leading spaces when using multi-line strings
-    return marked(text.trim().replace(/\n[^\S\n]+/g, '\n'));
+    return marked(escape(text.trim().replace(/\n[^\S\n]+/g, '\n')));
  }
  static view(vnode) {

--- a/src/views/events/eventDetails.js
+++ b/src/views/events/eventDetails.js
 import m from 'mithril';
 import marked from 'marked';
+import escape from 'html-escape';
 import * as EmailValidator from 'email-validator';
 import { log } from '../../models/log';
 import { isLoggedIn, login } from '../../models/auth';
@@ -175,7 +176,7 @@ export default class EventDetails {
          ? i18n('events.no_registration')
          : i18n('events.%n_spots_available', event.spots - event.signup_count)
      ),
-      m('p', m.trust(marked(event.getDescription()))),
+      m('p', m.trust(marked(escape(event.getDescription())))),
      eventSignupForm,
    ]);
  }

--- a/src/views/jobs/jobofferDetails.js
+++ b/src/views/jobs/jobofferDetails.js
 import m from 'mithril';
 import marked from 'marked';
+import escape from 'html-escape';
 import { apiUrl } from 'config';
 import * as jobs from '../../models/joboffers';
 import { log } from '../../models/log';
@@ -20,7 +21,7 @@ export default class JobOfferDetails {
    return m('div', [
      m('h1', jobOffer.title),
      m('img', { src: `${apiUrl}${jobOffer.logo.file}`, alt: jobOffer.company }),
-      m('p', m.trust(marked(jobOffer.description))),
+      m('p', m.trust(marked(escape(jobOffer.description)))),
      m('a', { href: `${apiUrl}${jobOffer.pdf.file}`, target: '_blank' }, 'Download as PDF'),
    ]);
  }