fixed #68 #75 remove html script

controllers/reply.js

@@ -187,7 +187,7 @@ function get_reply_by_id(id, cb) {
         return cb(err);
       }
       if (!reply.content_is_html) {
-        reply.content = Showdown.parse(reply.content);
+        reply.content = Showdown.parse(Util.escape(reply.content));
       }
       reply.author = author;
       reply.friendly_create_at = Util.format_date(reply.create_at, true);
@@ -243,7 +243,7 @@ function get_replies_by_topic_id(id, cb) {
             return cb(err);
           }
           if (!replies[i].content_is_html) {
-            replies[i].content = Showdown.parse(replies[i].content);
+            replies[i].content = Showdown.parse(Util.escape(replies[i].content));
           }
           replies[i].author = author;
           replies[i].friendly_create_at = Util.format_date(replies[i].create_at, true);

controllers/topic.js

@@ -80,7 +80,7 @@ exports.index = function (req, res, next) {
     topic.save(function (err) {
       if (!topic.content_is_html) {
         // trans Markdown to HTML
-        topic.content = Showdown.parse(topic.content);
+        topic.content = Showdown.parse(Util.escape(topic.content));
       }
       // format date
       topic.friendly_create_at = Util.format_date(topic.create_at, true);

libs/util.js

@@ -33,3 +33,19 @@ exports.format_date = function (date, friendly) {
   year = (thisYear === year) ? '' : (year + '-');
   return year + month + '-' + day + ' ' + hour + ':' + minute;
 };
+
+/**
+ * Escape the given string of `html`.
+ *
+ * @param {String} html
+ * @return {String}
+ * @api private
+ */
+
+exports.escape = function(html){
+  return String(html)
+    .replace(/&(?!\w+;)/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;');
+};