fix xss

LOG.md

@@ -1,4 +1,7 @@
 # 更新日志
+- **2.9.0** (20.4.20)
+    - 将xss组建设置为prop
+    - 去除 markdown-it-sanitizer
 - **2.8.3** (20.4.5)
     - 调整整体默认字号为14px
 - **2.8.2** (20.4.5)

README-EN.md

@@ -122,6 +122,7 @@ export default {
 | imageFilter | Function |     null     | Image file filter Function, params is a `File Object`, you should return `Boolean` about the test result |
 | imageClick | function |     null     |  Image Click Function |
 | tabSize | Number |     null     |  How many spaces equals one tab, default \t |
+| xssOptions     | Object  |     null     | xss options: ![https://github.com/leizongmin/js-xss](https://github.com/leizongmin/js-xss)                    |
 | toolbars   | Object      |   As in the following example  | toolbars |
 
 ```javascript

README.md

@@ -128,6 +128,7 @@ export default {
 | imageFilter | function |     null     |  图片过滤函数，参数为一个`File Object`，要求返回一个`Boolean`, `true`表示文件合法，`false`表示文件不合法 |
 | imageClick | function |     null     |  图片点击事件，默认为预览，可覆盖 |
 | tabSize     | Number  |     \t     | tab转化为几个空格，默认为\t                      |
+| xssOptions     | Object  |     null     | xss规则配置，参考 ![https://github.com/leizongmin/js-xss](https://github.com/leizongmin/js-xss)                    |
 | toolbars     | Object  |     如下例     | 工具栏                      |
 
 ```javascript

package.json

@@ -1,6 +1,6 @@
 {
   "name": "mavon-editor",
-  "version": "2.8.3",
+  "version": "2.9.0",
   "description": "Vue markdown editor",
   "main": "dist/mavon-editor.js",
   "types": "./mavon-editor.d.ts",
@@ -73,7 +73,6 @@
     "markdown-it-ins": "^2.0.0",
     "markdown-it-katex-external": "^1.0.0",
     "markdown-it-mark": "^2.0.0",
-    "markdown-it-sanitizer": "^0.4.3",
     "markdown-it-sub": "^1.0.0",
     "markdown-it-sup": "^1.0.0",
     "markdown-it-task-lists": "^2.1.1",

src/dev/app.vue

@@ -104,6 +104,11 @@
                     preview: true,
                     subfield: false
                 },
+                // xssOptions: {
+                //      escapeHtml (html) {
+                //          return html
+                //      }
+                // },
                 autofocus: true,
                 subfield: true,
                 editable: true,

src/lib/mixins/markdown.js

@@ -13,8 +13,6 @@ var markdown_config = {
 }
 
 var markdown = require('markdown-it')(markdown_config);
-// sanitizer
-var sanitizer = require('markdown-it-sanitizer')
 // 表情
 var emoji = require('markdown-it-emoji');
 // 下标
@@ -73,7 +71,6 @@ var hljs_opts = {
     }
 };
 markdown.use(mihe, hljs_opts)
-    .use(sanitizer)
     .use(emoji)
     .use(sup)
     .use(sub)

src/mavon-editor.vue

@@ -88,9 +88,9 @@
 </template>
 
 <script>
-    // import tomarkdown from './lib/core/to-markdown.js'
+// import tomarkdown from './lib/core/to-markdown.js'
 import {autoTextarea} from 'auto-textarea'
-import {keydownListen} from './lib/core/keydown-listen.js'
+import {keydownListen} from './lib/core/keydown-listen.js' 
 import hljsCss from './lib/core/hljs/lang.hljs.css.js'
 import hljsLangs from './lib/core/hljs/lang.hljs.js'
 const xss = require('xss');
@@ -198,6 +198,12 @@ export default {
                 return CONFIG.toolbars
             }
         },
+        xssOptions: { // 工具栏
+            type: Object,
+            default() {
+                return null
+            }
+        },
         codeStyle: { // <code></code> 样式
             type: String,
             default() {
@@ -670,12 +676,13 @@ export default {
         },
         value: function (val, oldVal) {
             // Escaping all XSS characters
-            val = xss(val, {
-                escapeHtml (html) {
-                    return html
-                }
-            });
-
+            //         escapeHtml (html) {
+            //             return html
+            //         }
+            if (this.xssOptions) {
+                val = xss(val, this.xssOptions);
+            }
+            
             if (val !== this.d_value) {
                 this.d_value = val
             }