From 925d9624d5550f5166849407dc92d0df84389c75 Mon Sep 17 00:00:00 2001
From: creesch <creesch@users.noreply.github.com>
Date: Wed, 26 Jul 2023 19:41:57 +0200
Subject: [PATCH] Allow limited set of markdown in title rendering (#1977)

---
 src/shared/markdown.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/shared/markdown.ts b/src/shared/markdown.ts
index 33afd71..142000d 100644
--- a/src/shared/markdown.ts
+++ b/src/shared/markdown.ts
@@ -23,6 +23,14 @@ export let md: MarkdownIt = new MarkdownIt();
 
 export let mdNoImages: MarkdownIt = new MarkdownIt();
 
+// Zero disables all rules.
+// Only explicitly allow a limited set of rules safe for use in post titles.
+export const mdLimited: MarkdownIt = new MarkdownIt("zero").enable([
+  "emphasis",
+  "backticks",
+  "strikethrough",
+]);
+
 export const customEmojis: EmojiMartCategory[] = [];
 
 export let customEmojisLookup: Map<string, CustomEmojiView> = new Map<
@@ -43,7 +51,7 @@ export function mdToHtmlNoImages(text: string) {
 }
 
 export function mdToHtmlInline(text: string) {
-  return { __html: md.renderInline(text) };
+  return { __html: mdLimited.renderInline(text) };
 }
 
 const spoilerConfig = {
-- 
2.44.1