From 33774c11b989a6a8aa2517e1a83d39c43741fc90 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Wed, 21 Nov 2018 11:11:47 +0100 Subject: [PATCH] Update from to-markdown to turndown We got a security alert for a regular expression DoS attack on our used library `to-markdown`. After checking `to-markdown` to be maintained or not, it turned out they renamed the library to `turndown`. So upgrading to `turndown` should fix this vulnerbility. References: https://www.npmjs.com/package/to-markdown https://github.com/domchristie/turndown/wiki/Migrating-from-to-markdown-to-Turndown Signed-off-by: Sheogorath --- package.json | 2 +- public/js/index.js | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index ee3c383..3c3f359 100644 --- a/package.json +++ b/package.json @@ -123,8 +123,8 @@ "store": "^2.0.12", "string": "^3.3.3", "tedious": "^1.14.0", - "to-markdown": "^3.0.3", "toobusy-js": "^0.5.1", + "turndown": "^5.0.1", "uuid": "^3.1.0", "validator": "^10.4.0", "velocity-animate": "^1.4.0", diff --git a/public/js/index.js b/public/js/index.js index c2969e9..a845b5d 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -12,7 +12,7 @@ require('../css/site.css') require('highlight.js/styles/github-gist.css') -import toMarkdown from 'to-markdown' +import TurndownService from 'turndown' import { saveAs } from 'file-saver' import randomColor from 'randomcolor' @@ -1498,7 +1498,12 @@ $('#snippetExportModalConfirm').click(function () { }) function parseToEditor (data) { - var parsed = toMarkdown(data) + var turndownService = new TurndownService({ + defaultReplacement: function (innerHTML, node) { + return node.isBlock ? '\n\n' + node.outerHTML + '\n\n' : node.outerHTML + } + }) + var parsed = turndownService.turndown(data) if (parsed) { replaceAll(parsed) } }