From bfd873c8e4b5bbb851f815c9a9fa5598eea31d2e Mon Sep 17 00:00:00 2001
From: Joseph Schorr <joseph.schorr@coreos.com>
Date: Thu, 20 Sep 2018 11:35:31 -0400
Subject: [PATCH] Only markdown strings in builder service when explicitly
 whitelisted

---
 static/js/services/string-builder-service.js | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/static/js/services/string-builder-service.js b/static/js/services/string-builder-service.js
index f59598f72..d5ec9130e 100644
--- a/static/js/services/string-builder-service.js
+++ b/static/js/services/string-builder-service.js
@@ -26,6 +26,10 @@ angular.module('quay').factory('StringBuilderService', ['$sce', 'UtilService', f
     'manifest_digest': 'link'
   };
 
+  var allowMarkdown = {
+    'description': true,
+  };
+
   var filters = {
     'obj': function(value) {
       if (!value) { return []; }
@@ -118,8 +122,12 @@ angular.module('quay').factory('StringBuilderService', ['$sce', 'UtilService', f
     }
 
     var safe = UtilService.textToSafeHtml(value);
-    var markedDown = UtilService.getMarkedDown(safe);
-    markedDown = markedDown.substr('<p>'.length, markedDown.length - '<p></p>'.length);
+    var result = safe;
+    
+    if (allowMarkdown[key]) {
+      result = UtilService.getMarkedDown(result);
+      result = result.substr('<p>'.length, result.length - '<p></p>'.length);
+    }
 
     var icon = fieldIcons[key];
     if (icon) {
@@ -127,12 +135,12 @@ angular.module('quay').factory('StringBuilderService', ['$sce', 'UtilService', f
         icon = 'fa-' + icon;
       }
 
-      markedDown = '<i class="fa ' + icon + '"></i>' + markedDown;
+      result = '<i class="fa ' + icon + '"></i>' + result;
     }
 
     var codeTag = opt_codetag || 'code';
     description = description.replace('{' + prefix + key + '}',
-      '<' + codeTag + '>' + markedDown + '</' + codeTag + '>');
+      '<' + codeTag + '>' + result + '</' + codeTag + '>');
 
     return description
   }