From: creesch <creesch@users.noreply.github.com>
Date: Wed, 26 Jul 2023 17:41:57 +0000 (+0200)
Subject: Allow limited set of markdown in title rendering (#1977)
X-Git-Url: http://these/git/%7B%60%24%7BarchiveTodayUrl%7D/%24%7B%60data:application/static/git-favicon.png?a=commitdiff_plain;h=925d9624d5550f5166849407dc92d0df84389c75;p=lemmy-ui.git

Allow limited set of markdown in title rendering (#1977)
---

diff --git a/src/shared/markdown.ts b/src/shared/markdown.ts
index 33afd71..142000d 100644
--- a/src/shared/markdown.ts
+++ b/src/shared/markdown.ts
@@ -23,6 +23,14 @@ export let md: MarkdownIt = new MarkdownIt();
 
 export let mdNoImages: MarkdownIt = new MarkdownIt();
 
+// Zero disables all rules.
+// Only explicitly allow a limited set of rules safe for use in post titles.
+export const mdLimited: MarkdownIt = new MarkdownIt("zero").enable([
+  "emphasis",
+  "backticks",
+  "strikethrough",
+]);
+
 export const customEmojis: EmojiMartCategory[] = [];
 
 export let customEmojisLookup: Map<string, CustomEmojiView> = new Map<
@@ -43,7 +51,7 @@ export function mdToHtmlNoImages(text: string) {
 }
 
 export function mdToHtmlInline(text: string) {
-  return { __html: md.renderInline(text) };
+  return { __html: mdLimited.renderInline(text) };
 }
 
 const spoilerConfig = {