diff --git a/app/lib/express.js b/app/lib/express.js index 00dc037..95c44e8 100644 --- a/app/lib/express.js +++ b/app/lib/express.js @@ -25,6 +25,7 @@ const ejs = require("ejs"); const cookieEncrypter = require("cookie-encrypter"); const expressLayouts = require("express-ejs-layouts"); const mobileRoutes = require("./mobile-routes"); +const ejsUtils = require("ejs/lib/utils"); let mode = process.env.MODE || "client"; @@ -110,13 +111,42 @@ app.use((_req, res, next) => { } return "/images/no-avatar.png"; }; + + const BLOB_PATTERN = /(&.*?=\.sha\d+)/g; res.locals.topicTitle = (post) => { - const title = post.content.title || post.content.text; + const title = res.locals + .escapeMarkdown(post.content.title || post.content.text) + .replace(BLOB_PATTERN, ""); if (title.length > 60) { return title.substr(0, 60) + "..."; } return title; }; + res.locals.escapeMarkdown = (str) => { + let result = ejsUtils.escapeXML(str); + result = result.replace(/!\[.*?\]\((.*?)\)/g, `$1`); // Images + result = result.replace(/\[(@.*?)\]\(@.*?\)/g, `$1`); // Link to mention + result = result.replace(/\[.*?\]\((.*?)\)/g, `$1`); // Any Link + result = result.replace(/^#+ /g, ""); + return result; + }; + res.locals.htmlify = (str) => { + let result = str; + result = result.replace( + BLOB_PATTERN, + `$1` + ); + result = result.replace( + /(https?:\/\/\S+)/g, + `$1` + ); + result = result.replace( + /( ([a-z-_]+\.)?[a-z-_]+\.[a-z]+(\/\S+))/g, + ` $1` + ); + result = result.replace(/\n/g, "
"); + return result; + }; next(); }); diff --git a/app/lib/serve-blobs.js b/app/lib/serve-blobs.js index 9f63e7d..2314be3 100644 --- a/app/lib/serve-blobs.js +++ b/app/lib/serve-blobs.js @@ -40,7 +40,7 @@ const serveBlobs = (sbot) => { setTimeout(() => { debug("timeout for", hash); wrappedCb(null, false); - }, 1000); + }, 5000); sbot.blobs.has(hash, function (err, has) { if (err) return wrappedCb(err); diff --git a/app/views/_posts.ejs b/app/views/_posts.ejs index 1071d7a..928fa73 100644 --- a/app/views/_posts.ejs +++ b/app/views/_posts.ejs @@ -10,14 +10,12 @@ <%= post.authorProfile.name %> - <% let text = post.content.text %> + <% let text = escapeMarkdown(post.content.text) %> <% if (typeof dont_cut == "undefined") { %> - <% text = post.content.text.slice(0, 140) %> + <% text = text.slice(0, 140) %> <% if (post.content.text.length > 140) text += "..." %> <% } %> - <% text.split("\n").map((line, index) => { %> - <%- index > 0 ? "
" : "" %><%= line %> - <% }) %> + <%- htmlify(text) %> <% }) %> \ No newline at end of file diff --git a/app/views/communities/community.ejs b/app/views/communities/community.ejs index aa70855..742ac89 100644 --- a/app/views/communities/community.ejs +++ b/app/views/communities/community.ejs @@ -5,7 +5,7 @@ <% posts.map(post => { %> " class="columns community-topic-link">
- <%= topicTitle(post.value) %> + <%- topicTitle(post.value) %>
💬 <%= post.value.replies.length %> replies
 diff --git a/app/views/communities/topic.ejs b/app/views/communities/topic.ejs index 54c773b..756c366 100644 --- a/app/views/communities/topic.ejs +++ b/app/views/communities/topic.ejs @@ -1,5 +1,5 @@ <% if (posts.length > 0) { %> -

<%= topicTitle(posts[0].value) %>

+

<%- topicTitle(posts[0].value) %>

<%- include("../_posts", { posts: posts.map(x => x.value), dont_cut: true }) %>
/publish" method="POST" style="padding-top: 20px; border-top: 1px solid #ddd;"> diff --git a/app/views/home.ejs b/app/views/home.ejs index d2f82d9..0142206 100644 --- a/app/views/home.ejs +++ b/app/views/home.ejs @@ -15,7 +15,7 @@

<%= profile.name %>

- <%= profile.description %> + <%- escapeMarkdown(profile.description || "").substr(0, 70) %>
diff --git a/app/views/mobile/communities/community.ejs b/app/views/mobile/communities/community.ejs index fd6d859..1389a60 100644 --- a/app/views/mobile/communities/community.ejs +++ b/app/views/mobile/communities/community.ejs @@ -21,7 +21,7 @@ <% posts.map(post => { %> " class="columns community-topic-link">
- <%= topicTitle(post.value) %> + <%- topicTitle(post.value) %>
💬 <%= post.value.replies.length %> replies
 diff --git a/app/views/mobile/communities/topic.ejs b/app/views/mobile/communities/topic.ejs index 1d65204..2a2ba7f 100644 --- a/app/views/mobile/communities/topic.ejs +++ b/app/views/mobile/communities/topic.ejs @@ -5,7 +5,7 @@ ⬅ #<%= community.name %> -

<%= topicTitle(posts[0].value) %>

+

<%- topicTitle(posts[0].value) %>

<%- include("../../_posts", { posts: posts.map(x => x.value), dont_cut: true }) %> diff --git a/app/views/mobile/home.ejs b/app/views/mobile/home.ejs index fc3d09e..6462e8b 100644 --- a/app/views/mobile/home.ejs +++ b/app/views/mobile/home.ejs @@ -3,7 +3,7 @@

<%= profile.name %>

- <%= profile.description %> + <%- escapeMarkdown(profile.description || "").substr(0, 70) %>
diff --git a/app/views/mobile/profile.ejs b/app/views/mobile/profile.ejs index 3f9441b..25d329a 100644 --- a/app/views/mobile/profile.ejs +++ b/app/views/mobile/profile.ejs @@ -3,7 +3,7 @@

<%= profile.name %>

- <%= (profile.description || "").substr(0, 70) %> + <%- escapeMarkdown(profile.description || "").substr(0, 70) %> <% if (friendshipStatus == "request_received") { %>

<%= profile.name %> sent you a friendship request

diff --git a/app/views/profile.ejs b/app/views/profile.ejs index 9edfe68..4aa878d 100644 --- a/app/views/profile.ejs +++ b/app/views/profile.ejs @@ -13,7 +13,7 @@
✅ Friends
<% } %>
-
<%= (profile.description || "").substr(0, 70) %>
+
<%- escapeMarkdown(profile.description || "").substr(0, 70) %>
<% if (friendshipStatus == "request_received") { %>

<%= profile.name %> sent you a friendship request