diff --git a/scripts/stellar_cli_plugins.mjs b/scripts/stellar_cli_plugins.mjs index 85b717f6e..debe180f4 100644 --- a/scripts/stellar_cli_plugins.mjs +++ b/scripts/stellar_cli_plugins.mjs @@ -5,16 +5,39 @@ import https from "https"; // E.g. "user/repo" const excludePlugins = ["haqnawaz03329-debug/haqnawaz"]; -// GitHub repo descriptions are attacker-controlled (anyone can tag a repo with -// the `stellar-cli-plugin` topic), and this content is injected into MDX, which -// renders HTML/JSX. Neutralize characters that could execute as markup/script. -function sanitize(value) { - return (value || "") - .replace(/&/g, "&") - .replace(//g, ">") - .replace(/{/g, "{") - .replace(/}/g, "}"); +const MD_ENTITIES = { + "&": "&", + "<": "<", + ">": ">", + '"': """, + "'": "'", + "*": "*", + _: "_", + "`": "`", + "[": "[", + "]": "]", + "(": "(", + ")": ")", + "#": "#", + "+": "+", + "-": "-", + ".": ".", + "!": "!", + "|": "|", + "~": "~", + "\\": "\", + "{": "{", + "}": "}", + "=": "=", + ":": ":", + $: "$", +}; + +function escape(value) { + return String(value ?? "") + .replace(/\s+/g, " ") + .trim() + .replace(/[&<>"'*_`\[\]()#+\-.!|~\\{}=:$]/g, (ch) => MD_ENTITIES[ch]); } function exportMDX(data) { @@ -23,9 +46,9 @@ function exportMDX(data) { return buffer; } - const plugin = `### [${sanitize(item.full_name)}](${encodeURI(item.html_url)}) + const plugin = `### [${escape(item.full_name)}](${encodeURI(item.html_url)}) -${sanitize(item.description)} +

${escape(item.description)}

[${encodeURI(item.html_url)}](${encodeURI(item.html_url)}) `;