Edit: Sanitization of Markdown content

app/functions/sanitize_markdown.js

@@ -0,0 +1,28 @@
+
+// Modules
+// var validator = require('validator');
+
+// Sanitize Content
+// This will disallow <script> and <style> embeds
+// because output will be HTML-encoded.
+// If you need images, links, etc. use the Markdown format (see docs)
+//
+// This was the prior content sanitizer, which was too aggressive
+// Markdown characters got encoded/escaped to the point of being unusable
+// return validator.escape(str);
+//
+// Instead we now will remove problematic characters not in the Markdown spec
+// https://www.markdownguide.org/cheat-sheet/
+// Includes: >, &
+// More may be added in the future
+// Additionally, Content Security Policy when implemented will help
+
+// TODO: Add Test
+function sanitize_markdown(str) {
+  return str
+    .replace(/</g, '&lt;')
+    .replace(/(\s)&(\s)/g, ' &amp; ');
+}
+
+// Exports
+module.exports = exports = sanitize_markdown;

app/routes/page.edit.route.js

@@ -1,8 +1,8 @@
 // Modules
 var fs = require('fs-extra');
-var validator = require('validator');
 var get_filepath = require('../functions/get_filepath.js');
 var create_meta_info = require('../functions/create_meta_info.js');
+var sanitize_markdown = require('../functions/sanitize_markdown.js');
 
 function route_page_edit(config) {
   return async function (req, res) {
@@ -43,12 +43,7 @@ function route_page_edit(config) {
     }
 
     var complete_content = create_content(req.body);
-
-    // Sanitize Content
-    // This will disallow <script> and <style> embeds
-    // because output will be HTML-encoded.
-    // If you need images, links, etc. use the Markdown format (see docs)
-    var sanitized_content = validator.escape(complete_content);
+    var sanitized_content = sanitize_markdown(complete_content);
 
     try {
       await fs.writeFile(filepath, sanitized_content);