Update from to-markdown to turndown

We got a security alert for a regular expression DoS attack on our used
library `to-markdown`.

After checking `to-markdown` to be maintained or not, it turned out they
renamed the library to `turndown`. So upgrading to `turndown` should fix
this vulnerbility.

References:
https://www.npmjs.com/package/to-markdown
https://github.com/domchristie/turndown/wiki/Migrating-from-to-markdown-to-Turndown
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-11-21 11:11:47 +01:00
parent 2323d203b4
commit 33774c11b9
No known key found for this signature in database
GPG key ID: 1F05CC3635CDDFFD
2 changed files with 8 additions and 3 deletions

View file

@ -123,8 +123,8 @@
"store": "^2.0.12", "store": "^2.0.12",
"string": "^3.3.3", "string": "^3.3.3",
"tedious": "^1.14.0", "tedious": "^1.14.0",
"to-markdown": "^3.0.3",
"toobusy-js": "^0.5.1", "toobusy-js": "^0.5.1",
"turndown": "^5.0.1",
"uuid": "^3.1.0", "uuid": "^3.1.0",
"validator": "^10.4.0", "validator": "^10.4.0",
"velocity-animate": "^1.4.0", "velocity-animate": "^1.4.0",

View file

@ -12,7 +12,7 @@ require('../css/site.css')
require('highlight.js/styles/github-gist.css') require('highlight.js/styles/github-gist.css')
import toMarkdown from 'to-markdown' import TurndownService from 'turndown'
import { saveAs } from 'file-saver' import { saveAs } from 'file-saver'
import randomColor from 'randomcolor' import randomColor from 'randomcolor'
@ -1498,7 +1498,12 @@ $('#snippetExportModalConfirm').click(function () {
}) })
function parseToEditor (data) { function parseToEditor (data) {
var parsed = toMarkdown(data) var turndownService = new TurndownService({
defaultReplacement: function (innerHTML, node) {
return node.isBlock ? '\n\n' + node.outerHTML + '\n\n' : node.outerHTML
}
})
var parsed = turndownService.turndown(data)
if (parsed) { replaceAll(parsed) } if (parsed) { replaceAll(parsed) }
} }