mirror of https://github.com/keeweb/keeweb.git
escaping html in the notes field
This commit is contained in:
parent
c537d0f464
commit
dddc4f235e
|
@ -47,8 +47,8 @@ function walkEntry(db, entry, parents) {
|
|||
let html = false;
|
||||
if (field.markdown && AppSettingsModel.useMarkdown) {
|
||||
const converted = MdToHtml.convert(value);
|
||||
if (converted !== value) {
|
||||
value = converted;
|
||||
if (converted.html) {
|
||||
value = converted.html;
|
||||
html = true;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -21,10 +21,10 @@ const MdToHtml = {
|
|||
const htmlWithoutLineBreaks = html.replace(whiteSpaceRegex, '');
|
||||
const mdWithoutLineBreaks = md.replace(whiteSpaceRegex, '');
|
||||
if (htmlWithoutLineBreaks === mdWithoutLineBreaks) {
|
||||
return md;
|
||||
return { text: md };
|
||||
} else {
|
||||
const sanitized = dompurify.sanitize(html, { ADD_ATTR: ['target'] });
|
||||
return `<div class="markdown">${sanitized}</div>`;
|
||||
return { html: `<div class="markdown">${sanitized}</div>` };
|
||||
}
|
||||
}
|
||||
};
|
||||
|
|
|
@ -24,7 +24,11 @@ class FieldViewText extends FieldView {
|
|||
if (value && value.isProtected) {
|
||||
value = value.getText();
|
||||
}
|
||||
return MdToHtml.convert(value);
|
||||
const converted = MdToHtml.convert(value);
|
||||
if (converted.html) {
|
||||
return converted.html;
|
||||
}
|
||||
value = converted.text;
|
||||
}
|
||||
return value && value.isProtected
|
||||
? PasswordPresenter.presentValueWithLineBreaks(value)
|
||||
|
|
|
@ -2,6 +2,7 @@ Release notes
|
|||
-------------
|
||||
##### v1.14.0 (TBD)
|
||||
`+` using OAuth authorization code grant for all storage providers
|
||||
`-` fixed a number of vulnerabilities in opening untrusted kdbx files
|
||||
|
||||
##### v1.13.4 (2020-04-15)
|
||||
`-` fix #1457: fixed styles in theme plugins
|
||||
|
|
|
@ -3,20 +3,21 @@ import { MdToHtml } from 'util/formatting/md-to-html';
|
|||
|
||||
describe('MdToHtml', () => {
|
||||
it('should convert markdown', () => {
|
||||
expect(MdToHtml.convert('## head\n_italic_')).to.eql(
|
||||
'<div class="markdown"><h2>head</h2>\n<p><em>italic</em></p>\n</div>'
|
||||
);
|
||||
expect(MdToHtml.convert('## head\n_italic_')).to.eql({
|
||||
html: '<div class="markdown"><h2>head</h2>\n<p><em>italic</em></p>\n</div>'
|
||||
});
|
||||
});
|
||||
|
||||
it('should not add markdown wrapper tags for plaintext', () => {
|
||||
expect(MdToHtml.convert('plain\ntext')).to.eql('plain\ntext');
|
||||
expect(MdToHtml.convert('plain\ntext')).to.eql({ text: 'plain\ntext' });
|
||||
});
|
||||
|
||||
it('should convert links', () => {
|
||||
expect(MdToHtml.convert('[link](https://x)')).to.eql(
|
||||
'<div class="markdown">' +
|
||||
expect(MdToHtml.convert('[link](https://x)')).to.eql({
|
||||
html:
|
||||
'<div class="markdown">' +
|
||||
'<p><a href="https://x" rel="noreferrer noopener" target="_blank">link</a></p>\n' +
|
||||
'</div>'
|
||||
);
|
||||
});
|
||||
});
|
||||
});
|
||||
|
|
Loading…
Reference in New Issue