KB66 Sanitize HTML in posts.

Change-Id: I4987c74e90befb226f1bf1f06129a665f32544bf
author: Matthias Andreas Benkard <code@mail.matthias.benkard.de> 2021-07-18 21:33:24 +0200
committer: Matthias Andreas Benkard <code@mail.matthias.benkard.de> 2021-07-18 21:33:24 +0200
commit: 95cc08732df33d5c6e748fe3f0e5c88eca3d1ba0 (patch)
tree: 4d91f48e3fc88166c90d560822aa31f3a505bdcd /src
parent: 9307632512461bf56615ed1cd94b429104e88dae (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/main/java/eu/mulk/mulkcms2/common/markdown/MarkdownConverter.java b/src/main/java/eu/mulk/mulkcms2/common/markdown/MarkdownConverter.java
index 68f7a18..cd75afe 100644
--- a/src/main/java/eu/mulk/mulkcms2/common/markdown/MarkdownConverter.java
+++ b/src/main/java/eu/mulk/mulkcms2/common/markdown/MarkdownConverter.java
@@ -11,6 +11,8 @@ import com.vladsch.flexmark.parser.Parser;
 import com.vladsch.flexmark.util.data.MutableDataSet;
 import java.util.Arrays;
 import javax.enterprise.context.ApplicationScoped;
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Whitelist;
 
 @ApplicationScoped
 public class MarkdownConverter {
@@ -41,6 +43,7 @@ public class MarkdownConverter {
 
   public String htmlify(String markdown) {
     var parsedDocument = parser.parse(markdown);
-    return renderer.render(parsedDocument);
+    var unsanitizedHtml = renderer.render(parsedDocument);
+    return Jsoup.clean(unsanitizedHtml, Whitelist.relaxed());
   }
 }
author	Matthias Andreas Benkard <code@mail.matthias.benkard.de>	2021-07-18 21:33:24 +0200
committer	Matthias Andreas Benkard <code@mail.matthias.benkard.de>	2021-07-18 21:33:24 +0200
commit	95cc08732df33d5c6e748fe3f0e5c88eca3d1ba0 (patch)
tree	4d91f48e3fc88166c90d560822aa31f3a505bdcd /src
parent	9307632512461bf56615ed1cd94b429104e88dae (diff)