Merge branch 'master' into LEGAL

Martii · Jun 6, 2014 · 5478e27 · 5478e27
2 parents a9a3e2f + 932d1c9
commit 5478e27
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 3 deletions.
diff --git a/.gitignore b/.gitignore
@@ -19,5 +19,6 @@ data
 fakeS3
 cert
 aws.json
+prod.sh
 
 /iisnode
diff --git a/app.js b/app.js
@@ -42,7 +42,7 @@ app.configure(function(){
   });
 
   // Force HTTPS
-  if (process.env.NODE_ENV === 'production') {
+  if (app.get('port') === 443) {
     app.use(function (req, res, next) {
       res.setHeader('Strict-Transport-Security',
         'max-age=8640000; includeSubDomains');

diff --git a/libs/markdown.js b/libs/markdown.js
@@ -1,5 +1,6 @@
 var marked = require('marked');
 var hljs = require('highlight.js');
+var xss = require('simple-xss');
 var renderer = new marked.Renderer();
 
 // Automatically generate an anchor for each header
@@ -29,11 +30,11 @@ marked.setOptions({
   tables: true,
   breaks: true,
   pedantic: false,
-  sanitize: true,
+  sanitize: false, // we use xss to sanitize HTML
   smartLists: true,
   smartypants: false
 });
 
 exports.renderMd = function (text) {
-  return marked(text);
+  return xss(marked(text));
 };
diff --git a/package.json b/package.json
@@ -14,6 +14,7 @@
     "async": "*",
     "aws-sdk": "*",
     "toobusy-js": "*",
+    "simple-xss": "*",
     "passport": "*",
     "passport-github": "*",
     "passport-amazon": "*",
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,5 +19,6 @@ data @@
     fakeS3
     cert
     aws.json
+    prod.sh
     /iisnode