Merge pull request #2309 from cosmos/fabo/remove-markdown-parser

Fabo/remove markdown parser
luniehq · Mar 20, 2019 · a14e1ed · a14e1ed
2 parents 04fb767 + ad113cf
commit a14e1ed
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 52 deletions.
diff --git a/PENDING.md b/PENDING.md
@@ -1,3 +1,7 @@
+### Security
+
+- [\#2309](https://github.com/cosmos/voyager/pull/2309) remove markdown parser to reduce vulnerability of xss @faboweb
+
 ### Fixed
 
-- [\#2301](https://github.com/cosmos/voyager/issues/2301) throttle requests for keybase identities @faboweb
+- [\#2301](https://github.com/cosmos/voyager/issues/2301) throttle requests for keybase identities @faboweb
diff --git a/app/src/renderer/components/common/TextBlock.vue b/app/src/renderer/components/common/TextBlock.vue
@@ -1,25 +1,19 @@
 <template>
- <!-- TODO:SECURITY try to add a malicious block and see how is rendered,
- like <script>alert('danger')</script> -->
- <!-- eslint-disable vue/no-v-html -->
- <div class="text-block" v-html="htmlContent" />
+ <div class="text-block">
+ <pre>
+ {{ content.trim() }}
+ </pre>
+ </div>
 </template>
 
 <script>
-import MarkdownIt from "markdown-it"
 export default {
  name: `text-block`,
  props: {
  content: {
  type: String,
  required: true
  }
- },
- computed: {
- htmlContent() {
- const md = new MarkdownIt()
- return md.render(this.content)
- }
  }
 }
 </script>

diff --git a/package.json b/package.json
@@ -83,7 +83,6 @@
  "jest-localstorage-mock": "2.3.0",
  "json-loader": "0.5.7",
  "lodash": "4.17.11",
- "markdown-it": "8.4.1",
  "moment-timezone": "0.5.16",
  "nightwatch": "1.0.19",
  "node-loader": "0.6.0",
@@ -126,7 +125,6 @@
  "glob": "7.1.3",
  "js-beautify": "1.8.6",
  "ledger-cosmos-js": "https://github.com/cosmos/ledger-cosmos-js",
- "markdown-it-anchor": "5.0.2",
  "moment": "2.22.1",
  "mousetrap": "1.6.1",
  "nib": "1.1.2",

diff --git a/test/unit/specs/components/common/__snapshots__/TextBlock.spec.js.snap b/test/unit/specs/components/common/__snapshots__/TextBlock.spec.js.snap
@@ -5,10 +5,9 @@ exports[`TextBlock has the expected html structure 1`] = `
  author="faboweb"
  class="text-block"
 >
- <p>
- Hello World
- </p>
+ <pre>
+ Hello World
  
-
+ </pre>
 </div>
 `;
diff --git a/yarn.lock b/yarn.lock
@@ -3950,7 +3950,7 @@ enhanced-resolve@^4.1.0:
  memory-fs "^0.4.0"
  tapable "^1.0.0"
 
-entities@^1.1.1, entities@~1.1.1:
+entities@^1.1.1:
  version "1.1.2"
  resolved "https://registry.yarnpkg.com/entities/-/entities-1.1.2.tgz#bdfa735299664dfafd34529ed4f8522a275fea56"
  integrity sha512-f2LZMYl1Fzu7YSBKg+RoROelpOaNrcGmE9AZubeDfrCEia483oW4MI4VyFd5VNHIgQ/7qm1I0wUHK1eJnn2y2w==
@@ -6819,13 +6819,6 @@ levn@^0.3.0, levn@~0.3.0:
  prelude-ls "~1.1.2"
  type-check "~0.3.2"
 
-linkify-it@^2.0.0:
- version "2.1.0"
- resolved "https://registry.yarnpkg.com/linkify-it/-/linkify-it-2.1.0.tgz#c4caf38a6cd7ac2212ef3c7d2bde30a91561f9db"
- integrity sha512-4REs8/062kV2DSHxNfq5183zrqXMl7WP0WzABH9IeJI+NLm429FgE1PDecltYfnOoFDFlZGh2T8PfZn0r+GTRg==
- dependencies:
- uc.micro "^1.0.1"
-
 load-json-file@^1.0.0:
  version "1.1.0"
  resolved "https://registry.yarnpkg.com/load-json-file/-/load-json-file-1.1.0.tgz#956905708d58b4bab4c2261b04f59f31c99374c0"
@@ -7145,22 +7138,6 @@ markdown-escapes@^1.0.0:
  resolved "https://registry.yarnpkg.com/markdown-escapes/-/markdown-escapes-1.0.2.tgz#e639cbde7b99c841c0bacc8a07982873b46d2122"
  integrity sha512-lbRZ2mE3Q9RtLjxZBZ9+IMl68DKIXaVAhwvwn9pmjnPLS0h/6kyBMgNhqi1xFJ/2yv6cSyv0jbiZavZv93JkkA==
 
-markdown-it-anchor@5.0.2:
- version "5.0.2"
- resolved "https://registry.yarnpkg.com/markdown-it-anchor/-/markdown-it-anchor-5.0.2.tgz#cdd917a05b7bf92fb736a6dae3385c6d0d0fa552"
- integrity sha512-AFM/woBI8QDJMS/9+MmsBMT5/AR+ImfOsunQZTZhzcTmna3rIzAzbOh5E0l6mlFM/i9666BpUtkqQ9bS7WApCg==
-
-markdown-it@8.4.1:
- version "8.4.1"
- resolved "https://registry.yarnpkg.com/markdown-it/-/markdown-it-8.4.1.tgz#206fe59b0e4e1b78a7c73250af9b34a4ad0aaf44"
- integrity sha512-CzzqSSNkFRUf9vlWvhK1awpJreMRqdCrBvZ8DIoDWTOkESMIF741UPAhuAmbyWmdiFPA6WARNhnu2M6Nrhwa+A==
- dependencies:
- argparse "^1.0.7"
- entities "~1.1.1"
- linkify-it "^2.0.0"
- mdurl "^1.0.1"
- uc.micro "^1.0.5"
-
 markdown-table@^1.1.0:
  version "1.1.2"
  resolved "https://registry.yarnpkg.com/markdown-table/-/markdown-table-1.1.2.tgz#c78db948fa879903a41bce522e3b96f801c63786"
@@ -7202,11 +7179,6 @@ mdn-data@~1.1.0:
  resolved "https://registry.yarnpkg.com/mdn-data/-/mdn-data-1.1.4.tgz#50b5d4ffc4575276573c4eedb8780812a8419f01"
  integrity sha512-FSYbp3lyKjyj3E7fMl6rYvUdX0FBXaluGqlFoYESWQlyUTq8R+wp0rkFxoYFqZlHCvsUXGjyJmLQSnXToYhOSA==
 
-mdurl@^1.0.1:
- version "1.0.1"
- resolved "https://registry.yarnpkg.com/mdurl/-/mdurl-1.0.1.tgz#fe85b2ec75a59037f2adfec100fd6c601761152e"
- integrity sha1-/oWy7HWlkDfyrf7BAP1sYBdhFS4=
-
 media-typer@0.3.0:
  version "0.3.0"
  resolved "https://registry.yarnpkg.com/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748"
@@ -11790,11 +11762,6 @@ typeforce@^1.11.5:
  resolved "https://registry.yarnpkg.com/typeforce/-/typeforce-1.18.0.tgz#d7416a2c5845e085034d70fcc5b6cc4a90edbfdc"
  integrity sha512-7uc1O8h1M1g0rArakJdf0uLRSSgFcYexrVoKo+bzJd32gd4gDy2L/Z+8/FjPnU9ydY3pEnVPtr9FyscYY60K1g==
 
-uc.micro@^1.0.1, uc.micro@^1.0.5:
- version "1.0.6"
- resolved "https://registry.yarnpkg.com/uc.micro/-/uc.micro-1.0.6.tgz#9c411a802a409a91fc6cf74081baba34b24499ac"
- integrity sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==
-
 uglify-js@3.4.x, uglify-js@^3.1.4:
  version "3.4.9"
  resolved "https://registry.yarnpkg.com/uglify-js/-/uglify-js-3.4.9.tgz#af02f180c1207d76432e473ed24a28f4a782bae3"