feat(markdown): span[style] in Markdown erlauben, alles andere HTML strippen
This commit is contained in:
@@ -23,9 +23,18 @@ function configure() {
|
|||||||
marked.setOptions({ gfm: true });
|
marked.setOptions({ gfm: true });
|
||||||
marked.use({
|
marked.use({
|
||||||
renderer: {
|
renderer: {
|
||||||
// Inline raw HTML: `<...>` → bleibt wörtlich als Text stehen.
|
// Allow only <span style="..."> and </span> — strip all other raw HTML.
|
||||||
html() {
|
html(token: { text: string }) {
|
||||||
return '';
|
let s = token.text;
|
||||||
|
// Protect <span style="…"> (style value must not contain < or >)
|
||||||
|
s = s.replace(/<span\s+style="([^"<>]{0,400})"\s*>/gi, '\x00span:$1\x00');
|
||||||
|
s = s.replace(/<\/span>/gi, '\x00/span\x00');
|
||||||
|
// Strip all remaining HTML tags
|
||||||
|
s = s.replace(/<[^>]+>/g, '');
|
||||||
|
// Restore safe spans
|
||||||
|
s = s.replace(/\x00span:([^\x00]*)\x00/g, '<span style="$1">');
|
||||||
|
s = s.replace(/\x00\/span\x00/g, '</span>');
|
||||||
|
return s;
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|||||||
Reference in New Issue
Block a user