From 7a5c3bfcd8bcb32b859f52b3d53916004320af5e Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Mon, 21 Oct 2013 13:10:19 -0400 Subject: [PATCH] whitelist acceptable syntax highlighting classes --- .../discourse/dialects/github_code_dialect.js | 16 +++++++++++++++- test/javascripts/components/markdown_test.js | 3 +++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/app/assets/javascripts/discourse/dialects/github_code_dialect.js b/app/assets/javascripts/discourse/dialects/github_code_dialect.js index 725b14a572..31fc8d97bf 100644 --- a/app/assets/javascripts/discourse/dialects/github_code_dialect.js +++ b/app/assets/javascripts/discourse/dialects/github_code_dialect.js @@ -5,11 +5,25 @@ @event register @namespace Discourse.Dialect **/ + +var acceptableCodeClasses = + ["lang-auto", "1c", "actionscript", "apache", "applescript", "avrasm", "axapta", "bash", "brainfuck", + "clojure", "cmake", "coffeescript", "cpp", "cs", "css", "d", "delphi", "diff", "xml", "django", "dos", + "erlang-repl", "erlang", "glsl", "go", "handlebars", "haskell", "http", "ini", "java", "javascript", + "json", "lisp", "lua", "markdown", "matlab", "mel", "nginx", "objectivec", "parser3", "perl", "php", + "profile", "python", "r", "rib", "rsl", "ruby", "rust", "scala", "smalltalk", "sql", "tex", "text", + "vala", "vbscript", "vhdl"]; + Discourse.Dialect.replaceBlock({ start: /^`{3}([^\n\[\]]+)?\n?([\s\S]*)?/gm, stop: '```', emitter: function(blockContents, matches) { - return ['p', ['pre', ['code', {'class': matches[1] || 'lang-auto'}, blockContents.join("\n") ]]]; + + var klass = 'lang-auto'; + if (matches[1] && acceptableCodeClasses.indexOf(matches[1]) !== -1) { + klass = matches[1]; + } + return ['p', ['pre', ['code', {'class': klass}, blockContents.join("\n") ]]]; } }); diff --git a/test/javascripts/components/markdown_test.js b/test/javascripts/components/markdown_test.js index 239748467f..ad6d5edd15 100644 --- a/test/javascripts/components/markdown_test.js +++ b/test/javascripts/components/markdown_test.js @@ -300,6 +300,9 @@ test("Code Blocks", function() { "

hello `eviltrout`

", "it allows code with backticks in it"); + cooked("```eviltrout\nhello\n```", + "

hello

", + "it doesn't not whitelist all classes"); cooked("```[quote=\"sam, post:1, topic:9441, full:true\"]This is `` a bug.[/quote]```", "

[quote="sam, post:1, topic:9441, full:true"]This is `<not>` a bug.[/quote]

",