Alternative way to sanitize isoData (#1129)

* Alternative way to sanitize isoData * use split/join instead of replaceAll * Use sanitize, then restore > chars for markdown render
2023-06-09 14:17:02 +02:00 · 2023-06-09 14:17:02 +02:00 · 4867e455f8
parent 50a8f40187
commit 4867e455f8
2 changed files with 6 additions and 6 deletions
--- a/src/server/index.tsx
+++ b/src/server/index.tsx
@ -9,6 +9,7 @@ import IsomorphicCookie from "isomorphic-cookie";
 import { GetSite, GetSiteResponse, LemmyHttp, Site } from "lemmy-js-client";
 import path from "path";
 import process from "process";
+import sanitize from "sanitize-html";
 import serialize from "serialize-javascript";
 import sharp from "sharp";
 import { App } from "../shared/components/app/app";
@ -25,7 +26,6 @@ import {
  favIconUrl,
  initializeSite,
  isAuthPath,
-  md,
 } from "../shared/utils";

 const server = express();
@ -348,9 +348,7 @@ async function createSsrHtml(root: string, isoData: IsoDataOptionalSite) {
  <!DOCTYPE html>
  <html ${helmet.htmlAttributes.toString()} lang="en">
  <head>
-  <script>window.isoData = ${md.utils.escapeHtml(
-    JSON.stringify(isoData)
-  )}</script>
+  <script>window.isoData = ${sanitize(JSON.stringify(isoData))}</script>
  <script>window.lemmyConfig = ${serialize(config)}</script>

  <!-- A remote debugging utility for mobile -->
--- a/src/shared/utils.ts
+++ b/src/shared/utils.ts
@ -206,11 +206,13 @@ export function hotRank(score: number, timeStr: string): number {
 }

 export function mdToHtml(text: string) {
-  return { __html: md.render(text) };
+  // restore '>' character to fix quotes
+  return { __html: md.render(text).split("&gt;").join(">") };
 }

 export function mdToHtmlNoImages(text: string) {
-  return { __html: mdNoImages.render(text) };
+  // restore '>' character to fix quotes
+  return { __html: mdNoImages.render(text).split("&gt;").join(">") };
 }

 export function mdToHtmlInline(text: string) {