用 markdown-it 代替 remarkable. fix #440 #468

1. 开启了 html 的支持 2. 使用老雷的 js-xss 来防 xss
cnodejs · Jan 11, 2015 · 3587bca · 3587bca · fengmk2 · Jan 11, 2015
1 parent b06e570
commit 3587bca
Show file tree

Hide file tree

Showing 7 changed files with 9,369 additions and 8,325 deletions.
diff --git a/common/render_helper.js b/common/render_helper.js
@@ -10,17 +10,18 @@
  * Module dependencies.
  */
 
-var Remarkable = require('remarkable');
+var MarkdownIt = require('markdown-it');
 var _ = require('lodash');
 var config = require('../config');
 var validator = require('validator');
 var multiline = require('multiline');
+var jsxss = require('xss');
 
 // Set default options
-var md = new Remarkable();
+var md = new MarkdownIt();
 
 md.set({
-  html:         false,        // Enable HTML tags in source
+  html:         true,        // Enable HTML tags in source
   xhtmlOut:     false,        // Use '/' to close single tags (<br />)
   breaks:       false,        // Convert '\n' in paragraphs into <br>
   linkify:      true,        // Autoconvert URL-like text to links
@@ -49,8 +50,17 @@ md.renderer.rules.code = function (tokens, idx /*, options*/) {
   return '<code>' + validator.escape(tokens[idx].content) + '</code>';
 };
 
+var myxss = new jsxss.FilterXSS({
+  onIgnoreTagAttr: function (tag, name, value, isWhiteAttr) {
+    // 让 prettyprint 可以工作
+    if (tag === 'pre' && name === 'class') {
+      return name + '="' + jsxss.escapeAttrValue(value) + '"';
+    }
+  }
+});
+
 exports.markdown = function (text) {
-  return '<div class="markdown-text">' + md.render(text || '') + '</div>';
+  return '<div class="markdown-text">' + myxss.process(md.render(text || '')) + '</div>';
 };
 
 exports.multiline = multiline;

diff --git a/package.json b/package.json
@@ -24,24 +24,25 @@
     "express-session": "1.9.1",
     "loader": "0.1.4",
     "lodash": "2.4.1",
+    "markdown-it": "3.0.3",
     "memory-cache": "0.0.5",
     "method-override": "1.0.2",
     "moment": "2.8.3",
     "mongoose": "3.8.16",
     "multiline": "1.0.1",
     "newrelic": "1.12.2",
-    "node-uuid": "^1.4.1",
+    "node-uuid": "1.4.1",
     "nodemailer": "0.3.43",
     "passport": "0.1.18",
     "passport-github": "0.1.5",
     "pm2": "0.11.1",
     "qn": "1.0.1",
     "ready": "0.1.1",
-    "remarkable": "1.4.1",
     "response-time": "2.2.0",
     "utility": "1.0.0",
     "validator": "3.22.1",
     "xmlbuilder": "2.4.4",
+    "xss": "0.1.15",
     "yaqrcode": "0.0.2"
   },
   "devDependencies": {

diff --git a/public/libs/editor/editor.js b/public/libs/editor/editor.js
@@ -7129,9 +7129,9 @@ Editor.toolbar = toolbar;
  * Default markdown render.
  */
 Editor.markdown = function(text) {
-  if (window.remarkable) {
+  if (window.markdowniter) {
     // use marked as markdown parser
-    return remarkable.render(text);
+    return markdowniter.render(text);
   }
 };
 

diff --git a/public/libs/editor/ext.js b/public/libs/editor/ext.js
@@ -1,6 +1,6 @@
-(function(Editor, Remarkable, WebUploader){
+(function(Editor, markdownit, WebUploader){
     // Set default options
-    var md = new Remarkable();
+    var md = new markdownit();
 
     md.set({
       html:         false,        // Enable HTML tags in source
@@ -11,7 +11,7 @@
       typographer:  false,        // Enable smartypants and other sweet transforms
     });
 
-    window.remarkable = md;
+    window.markdowniter = md;
 
     var toolbar = Editor.toolbar;
 
@@ -243,4 +243,4 @@
         var line = cm.lastLine();
         cm.setLine(line, cm.getLine(line) + txt);
     };
-})(window.Editor, window.Remarkable, window.WebUploader);
+})(window.Editor, window.markdownit, window.WebUploader);