From 957419d7f0c6eb7417d34ce1bd245505c1326651 Mon Sep 17 00:00:00 2001
From: Olivier Paroz <github@oparoz.com>
Date: Tue, 8 Sep 2015 02:28:13 +0200
Subject: Sanitize gallery.cnf even more using DOMPurify

---
 js/bower.json              |  6 ++++--
 js/galleryinfobox.js       | 16 ++++++++--------
 templates/part.content.php |  1 +
 templates/public.php       |  1 +
 4 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/js/bower.json b/js/bower.json
index 1f67648e..5e7e3193 100644
--- a/js/bower.json
+++ b/js/bower.json
@@ -2,7 +2,8 @@
   "name": "gallery",
   "homepage": "https://github.com/owncloud/gallery",
   "authors": [
-    "Olivier Paroz <owncloud@interfasys.ch>"
+    "Olivier Paroz <owncloud@interfasys.ch>",
+    "Robin Appelman <icewind@owncloud.com>"
   ],
   "description": "Media gallery for ownCloud which includes previews for all media types supported by your ownCloud installation.",
   "license": "AGPL",
@@ -17,6 +18,7 @@
   "dependencies": {
     "eventsource-polyfill": "~0.*",
     "marked": "~0.*",
-    "github-markdown-css": "~2.*"
+    "github-markdown-css": "~2.*",
+    "dompurify": "~0.6.5"
   }
 }
diff --git a/js/galleryinfobox.js b/js/galleryinfobox.js
index b4712237..cb192cfb 100644
--- a/js/galleryinfobox.js
+++ b/js/galleryinfobox.js
@@ -1,4 +1,4 @@
-/* global Gallery, marked */
+/* global Gallery, marked, DOMPurify */
 (function ($, t, Gallery) {
 	"use strict";
 	/**
@@ -41,9 +41,9 @@
 								thisInfoBox._addContent(data);
 							}
 						).fail(function () {
-								thisInfoBox._addContent(t('gallery',
-									'Could not load the description'));
-							});
+							thisInfoBox._addContent(t('gallery',
+								'Could not load the description'));
+						});
 					} else {
 						this._addContent(this.albumInfo.description);
 					}
@@ -63,10 +63,10 @@
 		 */
 		_addContent: function (content) {
 			try {
-				content = marked(content, {
+				content = DOMPurify.sanitize(marked(content, {
 					gfm: false,
 					sanitize: true
-				});
+				}));
 			} catch (exception) {
 				content = t('gallery',
 					'Could not load the description: ' + exception.message);
@@ -104,10 +104,10 @@
 
 				if (!$.isEmptyObject(this.albumInfo.copyright)) {
 					try {
-						copyright = marked(this.albumInfo.copyright, {
+						copyright = DOMPurify.sanitize(marked(this.albumInfo.copyright, {
 							gfm: false,
 							sanitize: true
-						});
+						}));
 					} catch (exception) {
 						copyright =
 							t('gallery',
diff --git a/templates/part.content.php b/templates/part.content.php
index 7703712a..d3d8d70c 100644
--- a/templates/part.content.php
+++ b/templates/part.content.php
@@ -22,6 +22,7 @@ script(
 		'vendor/modified-eventsource-polyfill/eventsource-polyfill',
 		'eventsource',
 		'vendor/marked/marked.min',
+		'vendor/dompurify/purify',
 		'vendor/bigshot/bigshot-compressed',
 		'slideshow',
 		'slideshowcontrols',
diff --git a/templates/public.php b/templates/public.php
index 57fb4ca9..8ebe6369 100644
--- a/templates/public.php
+++ b/templates/public.php
@@ -22,6 +22,7 @@ script(
 		'vendor/modified-eventsource-polyfill/eventsource-polyfill',
 		'eventsource',
 		'vendor/marked/marked.min',
+		'vendor/dompurify/purify',
 		'vendor/bigshot/bigshot-compressed',
 		'slideshow',
 		'slideshowcontrols',
-- 
cgit v1.2.3