Don't render non HTTP links, images and quotes

author Joas Schilling <coding@schilljs.com>

Thu, 15 Dec 2016 16:07:07 +0000 (17:07 +0100)

committer Joas Schilling <coding@schilljs.com>

Tue, 17 Jan 2017 10:36:49 +0000 (11:36 +0100)
author Joas Schilling <coding@schilljs.com>
Thu, 15 Dec 2016 16:07:07 +0000 (17:07 +0100)
committer Joas Schilling <coding@schilljs.com>
Tue, 17 Jan 2017 10:36:49 +0000 (11:36 +0100)
diff --git a/settings/js/apps.js b/settings/js/apps.js

index 15d3547b707e8f10d48e8b48ddd90242505a4453..a527b354e6801ff87500ae56d142bc8a34277121 100644 (file)
--- a/settings/js/apps.js
+++ b/settings/js/apps.js
@@ -19,6 +19,8 @@ Handlebars.registerHelper('level', function() {
  
  OC.Settings = OC.Settings || {};
  OC.Settings.Apps = OC.Settings.Apps || {
+       markedOptions: {},
+
         setupGroupsSelect: function($elements) {
                 OC.Settings.setupGroupsSelect($elements, {
                         placeholder: t('core', 'All')
@@ -187,7 +189,7 @@ OC.Settings.Apps = OC.Settings.Apps || {
                 }
  
                 // Parse markdown in app description
-               app.description = marked(app.description.trim());
+               app.description = marked(app.description.trim(), OC.Settings.Apps.markedOptions);
  
                 var html = template(app);
                 if (selector) {
@@ -636,6 +638,50 @@ OC.Settings.Apps = OC.Settings.Apps || {
          * Initializes the apps list
          */
         initialize: function($el) {
+
+               var renderer = new marked.Renderer();
+               renderer.link = function(href, title, text) {
+                       try {
+                               var prot = decodeURIComponent(unescape(href))
+                                       .replace(/[^\w:]/g, '')
+                                       .toLowerCase();
+                       } catch (e) {
+                               return '';
+                       }
+
+                       if (prot.indexOf('http:') !== 0 && prot.indexOf('https:') !== 0) {
+                               return '';
+                       }
+
+                       var out = '<a href="' + href + '"';
+                       if (title) {
+                               out += ' title="' + title + '"';
+                       }
+                       out += '>' + text + '</a>';
+                       return out;
+               };
+               renderer.image = function(href, title, text) {
+                       if (text) {
+                               return text;
+                       }
+                       return title;
+               };
+               renderer.blockquote = function(quote) {
+                       return quote;
+               };
+
+               OC.Settings.Apps.markedOptions = {
+                       renderer: renderer,
+                       gfm: false,
+                       highlight: false,
+                       tables: false,
+                       breaks: false,
+                       pedantic: false,
+                       sanitize: true,
+                       smartLists: true,
+                       smartypants: false
+               };
+
                 OC.Plugins.register('OCA.Search', OC.Settings.Apps.Search);
                 OC.Settings.Apps.loadCategories();
                 OC.Util.History.addOnPopStateHandler(_.bind(this._onPopState, this));
author	Joas Schilling <coding@schilljs.com>
	Thu, 15 Dec 2016 16:07:07 +0000 (17:07 +0100)
committer	Joas Schilling <coding@schilljs.com>
	Tue, 17 Jan 2017 10:36:49 +0000 (11:36 +0100)