From 0f969ce383bb3e564a332b585e527de68493d881 Mon Sep 17 00:00:00 2001 From: Trevor Buckner Date: Tue, 20 Aug 2024 17:11:50 -0400 Subject: [PATCH 1/3] Add catch-all for invalid paths res.route is the currently-matched route. If nothing has been matched by this point (route = undefined), we have an invalid route. --- server/app.js | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/server/app.js b/server/app.js index b419c5cea..b15e9946c 100644 --- a/server/app.js +++ b/server/app.js @@ -420,6 +420,14 @@ if(isLocalEnvironment){ }); } +// Catch-all route for invalid routes +app.use((req, res, next) => { + if (!req.route) + return res.redirect('/'); + + return next(); +}); + //Render the page const templateFn = require('./../client/template.js'); const renderPage = async (req, res)=>{ From 645c9a122c3236c1ac5fc036cb598b9a91c1c2ee Mon Sep 17 00:00:00 2001 From: Trevor Buckner Date: Thu, 22 Aug 2024 11:51:24 -0400 Subject: [PATCH 2/3] Update `cleanURL` helper function to match later Marked version --- shared/naturalcrit/markdown.js | 32 +++++++++----------------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/shared/naturalcrit/markdown.js b/shared/naturalcrit/markdown.js index 9388e912a..be2f56af9 100644 --- a/shared/naturalcrit/markdown.js +++ b/shared/naturalcrit/markdown.js @@ -86,7 +86,7 @@ renderer.link = function (href, title, text) { if(href[0] == '#') { self = true; } - href = cleanUrl(this.options.sanitize, this.options.baseUrl, href); + href = cleanUrl(href); if(href === null) { return text; @@ -712,28 +712,14 @@ Marked.use(mustacheInjectBlock); Marked.use({ renderer: renderer, tokenizer: tokenizer, mangle: false }); Marked.use(MarkedExtendedTables(), MarkedGFMHeadingId(), MarkedSmartypantsLite(), MarkedEmojis(MarkedEmojiOptions)); -const nonWordAndColonTest = /[^\w:]/g; -const cleanUrl = function (sanitize, base, href) { - if(sanitize) { - let prot; - try { - prot = decodeURIComponent(unescape(href)) - .replace(nonWordAndColonTest, '') - .toLowerCase(); - } catch (e) { - return null; - } - if(prot.indexOf('javascript:') === 0 || prot.indexOf('vbscript:') === 0 || prot.indexOf('data:') === 0) { - return null; - } - } - try { - href = encodeURI(href).replace(/%25/g, '%'); - } catch (e) { - return null; - } - return href; -}; +function cleanUrl(href) { + try { + href = encodeURI(href).replace(/%25/g, '%'); + } catch { + return null; + } + return href; +} const escapeTest = /[&<>"']/; const escapeReplace = /[&<>"']/g; From 40ab2c2283f64c22978a83ffbaebe7b92e247434 Mon Sep 17 00:00:00 2001 From: Trevor Buckner Date: Thu, 22 Aug 2024 14:24:33 -0400 Subject: [PATCH 3/3] rearrange code --- server/app.js | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/server/app.js b/server/app.js index b15e9946c..8b3e4652b 100644 --- a/server/app.js +++ b/server/app.js @@ -14,6 +14,7 @@ const GoogleActions = require('./googleActions.js'); const serveCompressedStaticAssets = require('./static-assets.mv.js'); const sanitizeFilename = require('sanitize-filename'); const asyncHandler = require('express-async-handler'); +const templateFn = require('./../client/template.js'); const { DEFAULT_BREW } = require('./brewDefaults.js'); @@ -420,16 +421,16 @@ if(isLocalEnvironment){ }); } -// Catch-all route for invalid routes -app.use((req, res, next) => { - if (!req.route) - return res.redirect('/'); - - return next(); -}); +//Send rendered page +app.use(asyncHandler(async (req, res, next)=>{ + if (!req.route) return res.redirect('/'); // Catch-all for invalid routes + + const page = await renderPage(req, res); + if(!page) return; + res.send(page); +})); //Render the page -const templateFn = require('./../client/template.js'); const renderPage = async (req, res)=>{ // Create configuration object const configuration = { @@ -458,13 +459,6 @@ const renderPage = async (req, res)=>{ return page; }; -//Send rendered page -app.use(asyncHandler(async (req, res, next)=>{ - const page = await renderPage(req, res); - if(!page) return; - res.send(page); -})); - //v=====----- Error-Handling Middleware -----=====v// //Format Errors as plain objects so all fields will appear in the string sent const formatErrors = (key, value)=>{