Skip to content

markdown: sanitize markdown-it renderer output #1442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cmouse merged 1 commit into from
Mar 2, 2026
+21 −20
Merged

markdown: sanitize markdown-it renderer output #1442

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 21 additions & 20 deletions lib/markdown.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,8 @@ export async function getVitepressMd() {
* Much of this is copied from existing markdown-it plugins. See, e.g.,
* https://github.com/markdown-it/markdown-it-sub/blob/master/index.mjs */
function dovecot_markdown(md, opts) {
const escape = md.utils.escapeHtml

function process_brackets(state, silent) {
const max = state.posMax
const start = state.pos
Expand Down Expand Up @@ -211,11 +213,10 @@ function dovecot_markdown(md, opts) {
}

return '<code><a href="' +
resolveURL('core/summaries/' + page + '.html#' + env.inner) +
escape(resolveURL('core/summaries/' + page + '.html#' + env.inner)) +
'">'

case 'link':
let url = '#'
env.inner = false

if (!opts.links[parts[1]]) {
Expand All @@ -226,7 +227,7 @@ function dovecot_markdown(md, opts) {
const d = opts.links[parts[1]]
env.inner = parts[2] ? parts[2] : (d.text ? d.text : false)

return '<a href="' + d.url + '">'
return '<a href="' + escape(d.url) + '">'

case 'man':
env.inner = parts[1]
Expand All @@ -241,8 +242,8 @@ function dovecot_markdown(md, opts) {
}

return '<code><a href="' +
resolveURL('core/man/' + env.inner + '.' + env.args) +
'.html' + (hash ? '#' + hash : '') + '">'
escape(resolveURL('core/man/' + env.inner + '.' + env.args) +
'.html' + (hash ? '#' + hash : '')) + '">'

case 'plugin':
env.inner = parts[1]
Expand All @@ -257,7 +258,7 @@ function dovecot_markdown(md, opts) {
}

return '<a href="' +
resolveURL('core/plugins/' + plugin + '.html') + '">'
escape(resolveURL('core/plugins/' + plugin + '.html')) + '">'

case 'removed':
env.args = parts[1]
Expand All @@ -271,7 +272,7 @@ function dovecot_markdown(md, opts) {
const rfcurl = "https://datatracker.ietf.org/doc/html/rfc" +
env.inner + (env.args ? '#section-' + env.args : '')

return '<a target="_blank" rel="noreferrer" href="' + rfcurl + '">'
return '<a target="_blank" rel="noreferrer" href="' + escape(rfcurl) + '">'

case 'variable':
switch (parts[1] ? parts[1] : 'settings') {
Expand Down Expand Up @@ -309,7 +310,7 @@ function dovecot_markdown(md, opts) {
}

return '<code><a href="' +
resolveURL('core/settings/variables.html' + hash) + '">'
escape(resolveURL('core/settings/variables.html' + hash)) + '">'

default:
initMarkdownExtend()
Expand All @@ -330,37 +331,37 @@ function dovecot_markdown(md, opts) {
case 'removed':
if (!opts.updates[env.args]) {
handle_error('Missing updates entry for: ' + env.args)
return env.args
return escape(env.args)
}
return env.inner + ': ' + opts.updates[env.args]
return escape(env.inner + ': ' + opts.updates[env.args])

case 'doveadm':
return 'doveadm ' + env.inner + (env.args ? ' ' + env.args : '')
return 'doveadm ' + escape(env.inner) + (env.args ? ' ' + escape(env.args) : '')

case 'event':
return env.inner
return escape(env.inner)

case 'link':
return env.inner
return escape(env.inner)

case 'man':
return env.inner + '(' + env.args + ')'
return escape(env.inner) + '(' + escape(env.args) + ')'

case 'plugin':
return env.args ?? (env.inner + ' plugin')
return escape(env.args ?? (env.inner + ' plugin'))

case 'rfc':
return 'RFC ' + env.inner +
(env.args ? ' (section ' + env.args + ')' : '')
return 'RFC ' + escape(env.inner) +
(env.args ? ' (section ' + escape(env.args) + ')' : '')

case 'setting':
return env.inner + (env.args ? ' = ' + env.args : '')
return escape(env.inner) + (env.args ? ' = ' + escape(env.args) : '')

case 'setting_text':
return env.args ?? env.inner
return escape(env.args ?? env.inner)

case 'variable':
return env.inner
return escape(env.inner)

default:
return handle_default(mode, opts.markdown?.body?.(mode, env))
Expand Down