From 51d991b617a856756c19e544b875a9cfd170e06c Mon Sep 17 00:00:00 2001
From: fengmk2 <fengmk2@gmail.com>
Date: Tue, 11 Sep 2012 23:07:36 +0800
Subject: [PATCH] fixed #68 #75 remove html script

---
 controllers/reply.js |  4 ++--
 controllers/topic.js |  2 +-
 libs/util.js         | 16 ++++++++++++++++
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/controllers/reply.js b/controllers/reply.js
index 43603e3..c896ed4 100644
--- a/controllers/reply.js
+++ b/controllers/reply.js
@@ -187,7 +187,7 @@ function get_reply_by_id(id, cb) {
         return cb(err);
       }
       if (!reply.content_is_html) {
-        reply.content = Showdown.parse(reply.content);
+        reply.content = Showdown.parse(Util.escape(reply.content));
       }
       reply.author = author;
       reply.friendly_create_at = Util.format_date(reply.create_at, true);
@@ -243,7 +243,7 @@ function get_replies_by_topic_id(id, cb) {
             return cb(err);
           }
           if (!replies[i].content_is_html) {
-            replies[i].content = Showdown.parse(replies[i].content);
+            replies[i].content = Showdown.parse(Util.escape(replies[i].content));
           }
           replies[i].author = author;
           replies[i].friendly_create_at = Util.format_date(replies[i].create_at, true);
diff --git a/controllers/topic.js b/controllers/topic.js
index d48f8e1..22bdf2d 100644
--- a/controllers/topic.js
+++ b/controllers/topic.js
@@ -80,7 +80,7 @@ exports.index = function (req, res, next) {
     topic.save(function (err) {
       if (!topic.content_is_html) {
         // trans Markdown to HTML
-        topic.content = Showdown.parse(topic.content);
+        topic.content = Showdown.parse(Util.escape(topic.content));
       }
       // format date
       topic.friendly_create_at = Util.format_date(topic.create_at, true);
diff --git a/libs/util.js b/libs/util.js
index 369bec6..7b892af 100644
--- a/libs/util.js
+++ b/libs/util.js
@@ -33,3 +33,19 @@ exports.format_date = function (date, friendly) {
   year = (thisYear === year) ? '' : (year + '-');
   return year + month + '-' + day + ' ' + hour + ':' + minute;
 };
+
+/**
+ * Escape the given string of `html`.
+ *
+ * @param {String} html
+ * @return {String}
+ * @api private
+ */
+
+exports.escape = function(html){
+  return String(html)
+    .replace(/&(?!\w+;)/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;');
+};
\ No newline at end of file