diff --git a/app/lib/express.js b/app/lib/express.js
index 00dc037..95c44e8 100644
--- a/app/lib/express.js
+++ b/app/lib/express.js
@@ -25,6 +25,7 @@ const ejs = require("ejs");
const cookieEncrypter = require("cookie-encrypter");
const expressLayouts = require("express-ejs-layouts");
const mobileRoutes = require("./mobile-routes");
+const ejsUtils = require("ejs/lib/utils");
let mode = process.env.MODE || "client";
@@ -110,13 +111,42 @@ app.use((_req, res, next) => {
}
return "/images/no-avatar.png";
};
+
+ const BLOB_PATTERN = /(&.*?=\.sha\d+)/g;
res.locals.topicTitle = (post) => {
- const title = post.content.title || post.content.text;
+ const title = res.locals
+ .escapeMarkdown(post.content.title || post.content.text)
+ .replace(BLOB_PATTERN, "");
if (title.length > 60) {
return title.substr(0, 60) + "...";
}
return title;
};
+ res.locals.escapeMarkdown = (str) => {
+ let result = ejsUtils.escapeXML(str);
+ result = result.replace(/!\[.*?\]\((.*?)\)/g, `$1`); // Images
+ result = result.replace(/\[(@.*?)\]\(@.*?\)/g, `$1`); // Link to mention
+ result = result.replace(/\[.*?\]\((.*?)\)/g, `$1`); // Any Link
+ result = result.replace(/^#+ /g, "");
+ return result;
+ };
+ res.locals.htmlify = (str) => {
+ let result = str;
+ result = result.replace(
+ BLOB_PATTERN,
+ `$1`
+ );
+ result = result.replace(
+ /(https?:\/\/\S+)/g,
+ `$1`
+ );
+ result = result.replace(
+ /( ([a-z-_]+\.)?[a-z-_]+\.[a-z]+(\/\S+))/g,
+ ` $1`
+ );
+ result = result.replace(/\n/g, "
");
+ return result;
+ };
next();
});
diff --git a/app/lib/serve-blobs.js b/app/lib/serve-blobs.js
index 9f63e7d..2314be3 100644
--- a/app/lib/serve-blobs.js
+++ b/app/lib/serve-blobs.js
@@ -40,7 +40,7 @@ const serveBlobs = (sbot) => {
setTimeout(() => {
debug("timeout for", hash);
wrappedCb(null, false);
- }, 1000);
+ }, 5000);
sbot.blobs.has(hash, function (err, has) {
if (err) return wrappedCb(err);
diff --git a/app/views/_posts.ejs b/app/views/_posts.ejs
index 1071d7a..928fa73 100644
--- a/app/views/_posts.ejs
+++ b/app/views/_posts.ejs
@@ -10,14 +10,12 @@
<%= post.authorProfile.name %>
- <% let text = post.content.text %>
+ <% let text = escapeMarkdown(post.content.text) %>
<% if (typeof dont_cut == "undefined") { %>
- <% text = post.content.text.slice(0, 140) %>
+ <% text = text.slice(0, 140) %>
<% if (post.content.text.length > 140) text += "..." %>
<% } %>
- <% text.split("\n").map((line, index) => { %>
- <%- index > 0 ? "
" : "" %><%= line %>
- <% }) %>
+ <%- htmlify(text) %>
<% }) %>
\ No newline at end of file
diff --git a/app/views/communities/community.ejs b/app/views/communities/community.ejs
index aa70855..742ac89 100644
--- a/app/views/communities/community.ejs
+++ b/app/views/communities/community.ejs
@@ -5,7 +5,7 @@
<% posts.map(post => { %>
" class="columns community-topic-link">