diff options
| author | Joas Schilling <coding@schilljs.com> | 2016-12-15 17:07:07 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2017-01-13 18:33:43 +0100 |
| commit | 1a7d713883ca11716c14e20d5df1ef4fa7bbcf64 (patch) | |
| tree | bcab7813be884ce72af4692c318d28e3572bfae6 /settings | |
| parent | d26b902a13aeb35d89193a412cc748a518980d76 (diff) | |
| download | nextcloud-server-1a7d713883ca11716c14e20d5df1ef4fa7bbcf64.tar.gz nextcloud-server-1a7d713883ca11716c14e20d5df1ef4fa7bbcf64.zip | |
Don't render non HTTP links, images and quotes
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'settings')
| -rw-r--r-- | settings/js/apps.js | 48 |
1 files changed, 47 insertions, 1 deletions
diff --git a/settings/js/apps.js b/settings/js/apps.js index 15d3547b707..a527b354e68 100644 --- a/settings/js/apps.js +++ b/settings/js/apps.js @@ -19,6 +19,8 @@ Handlebars.registerHelper('level', function() { OC.Settings = OC.Settings || {}; OC.Settings.Apps = OC.Settings.Apps || { + markedOptions: {}, + setupGroupsSelect: function($elements) { OC.Settings.setupGroupsSelect($elements, { placeholder: t('core', 'All') @@ -187,7 +189,7 @@ OC.Settings.Apps = OC.Settings.Apps || { } // Parse markdown in app description - app.description = marked(app.description.trim()); + app.description = marked(app.description.trim(), OC.Settings.Apps.markedOptions); var html = template(app); if (selector) { @@ -636,6 +638,50 @@ OC.Settings.Apps = OC.Settings.Apps || { * Initializes the apps list */ initialize: function($el) { + + var renderer = new marked.Renderer(); + renderer.link = function(href, title, text) { + try { + var prot = decodeURIComponent(unescape(href)) + .replace(/[^\w:]/g, '') + .toLowerCase(); + } catch (e) { + return ''; + } + + if (prot.indexOf('http:') !== 0 && prot.indexOf('https:') !== 0) { + return ''; + } + + var out = '<a href="' + href + '"'; + if (title) { + out += ' title="' + title + '"'; + } + out += '>' + text + '</a>'; + return out; + }; + renderer.image = function(href, title, text) { + if (text) { + return text; + } + return title; + }; + renderer.blockquote = function(quote) { + return quote; + }; + + OC.Settings.Apps.markedOptions = { + renderer: renderer, + gfm: false, + highlight: false, + tables: false, + breaks: false, + pedantic: false, + sanitize: true, + smartLists: true, + smartypants: false + }; + OC.Plugins.register('OCA.Search', OC.Settings.Apps.Search); OC.Settings.Apps.loadCategories(); OC.Util.History.addOnPopStateHandler(_.bind(this._onPopState, this)); |