Merge pull request #17 from Coding/tencent

Tencent

Author: 春秋一语

app/commons/Tab/TabLabel.jsx

@@ -18,6 +18,7 @@ let TabLabel = observer(({ tab, removeTab, activateTab, openContextMenu, dbClick
       data-droppable='TABLABEL'
       draggable='true'
       onClick={e => activateTab(tab.id)}
+      onMouseUp={e => { e.button === 1 && removeTab(tab.id) }}
       onDoubleClick={() => {
         if (!tab.isActive) {
           activateTab(tab.id)

app/components/MonacoEditor/Editors/MarkDownEditor.jsx

@@ -12,8 +12,13 @@ import scrollMixin from './scrollMixin';
 
 // CodeEditor.use(mdMixin)
 
+const eventXSSReg = /\son[a-z]{3,20}=('\S*'|"\S*")/ig;
+const hrefXSSReg = /\shref=('javascript:\S+'|"javascript:\S+")/ig;
+const scriptLt = /<(?=\/?script)/ig;
+const scriptGt = /(?<=\/?script)>/ig;
+
 const md = new Remarkable('full', {
-  html:         false,        // Enable HTML tags in source
+  html:         true,        // Enable HTML tags in source
   xhtmlOut:     false,        // Use '/' to close single tags (<br />)
   breaks:       false,        // Convert '\n' in paragraphs into <br>
   langPrefix:   'language-',  // CSS language prefix for fenced blocks
@@ -98,9 +103,10 @@ class PreviewEditor extends Component {
 
   render () {
     const { content } = this.props
+    const html = md.render(content).replace(eventXSSReg, '').replace(hrefXSSReg, '').replace(scriptLt, '&lt;').replace(scriptGt, '&gt;');
     return (
       <div name='markdown_preview' className='markdown content'>
-        { this.makeHTMLComponent(md.render(content)) }
+        {this.makeHTMLComponent(html) }
       </div>
     )
   }

package.json

@@ -118,7 +118,6 @@
     "loader-utils": "^1.0.2",
     "localforage": "^1.5.0",
     "lodash": "^4.14.2",
-    "marked": "^0.3.6",
     "minimatch": "^3.0.4",
     "mobx": "^3.1.8",
     "mobx-react": "^4.1.5",