使用xss模块来过滤主题及回复内容

2025-12-08 19:55:55 +00:00 · 2012-09-21 10:21:03 +08:00 · 2012-09-21 10:21:03 +08:00 · d497dc63f9
commit d497dc63f9
parent 6680c2baac
4 changed files with 17 additions and 4 deletions
--- a/controllers/reply.js
+++ b/controllers/reply.js
@ -195,7 +195,7 @@ function get_reply_by_id(id, cb) {
        if (err) {
          return cb(err);
        }
-        reply.content = Showdown.parse(Util.escape(str));;
+        reply.content = Util.xss(Showdown.parse(str));
        return cb(err, reply);
      });
    });
@ -250,7 +250,7 @@ function get_replies_by_topic_id(id, cb) {
            if (err) {
              return cb(err);
            }
-            replies[i].content = Showdown.parse(Util.escape(str));
+            replies[i].content = Util.xss(Showdown.parse(str));
            proxy.emit('reply_find');
          });
        });
--- a/controllers/topic.js
+++ b/controllers/topic.js
@ -59,7 +59,7 @@ exports.index = function (req, res, next) {
      if (err) {
        return ep.emit(err);
      }
-      topic.content = Showdown.parse(Util.escape(content));
+      topic.content = Util.xss(Showdown.parse(content));
      ep.emit('@user');
    });
  });
--- a/libs/util.js
+++ b/libs/util.js
@ -1,3 +1,5 @@
+var xss = require('xss');
+
 exports.format_date = function (date, friendly) {
  var year = date.getFullYear();
  var month = date.getMonth() + 1;
@ -77,3 +79,13 @@ exports.escape = function(html){
  .replace(/^\n\n/, '')
  .replace(/\n\n$/, '');
 };
+
+/**
+ * 过滤XSS攻击代码
+ *
+ * @param {string} html
+ * @return {string}
+ */
+exports.xss = function (html) {
+  return xss(html);
+};
--- a/package.json
+++ b/package.json
@ -12,7 +12,8 @@
    "validator": "0.3.7",
    "ndir": ">=0.1.3",
    "nodemailer": "0.3.5",
-    "data2xml": "0.4.0"
+    "data2xml": "0.4.0",
+    "xss": ">=0.0.2"
  },
  "devDependencies": {
    "should": "*",