Normalize the page contents used to create a PreviewPage. Fixes #1617.

README.md

@@ -5,6 +5,8 @@ gollum -- A git-based Wiki
 [![Build Status](https://travis-ci.org/gollum/gollum.svg?branch=master)](https://travis-ci.org/gollum/gollum)
 [![Open Source Helpers](https://www.codetriage.com/gollum/gollum/badges/users.svg)](https://www.codetriage.com/gollum/gollum)
 
+**Please update to gollum 5.1.1 to counter a recent exploit in the kramdown rendering gem, [CVE-2020-14001](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001)**
+
 **Gollum version 5.0 is out!** See [here](https://github.com/gollum/gollum/wiki/5.0-release-notes) for a list of changes and new features compared to Gollum version 4.x, and see some [Screenshots](https://github.com/gollum/gollum/wiki/Screenshots) of Gollum's features.
 
 ## DESCRIPTION

gollum.gemspec

@@ -5,8 +5,8 @@ Gem::Specification.new do |s|
   s.required_ruby_version = '>= 1.9'
 
   s.name              = 'gollum'
-  s.version           = '5.1'
-  s.date              = '2020-08-03'
+  s.version           = '5.1.1'
+  s.date              = '2020-08-11'
   s.license           = 'MIT'
 
   s.summary     = 'A simple, Git-powered wiki.'
@@ -24,7 +24,7 @@ Gem::Specification.new do |s|
   s.extra_rdoc_files = %w[README.md LICENSE]
 
   s.add_dependency 'gollum-lib', '~> 5.0'
-  s.add_dependency 'kramdown', '~> 2.1.0'
+  s.add_dependency 'kramdown', '~> 2.3'
   s.add_dependency 'kramdown-parser-gfm', '~> 1.0.0'
   s.add_dependency 'sinatra', '~> 2.0'
   s.add_dependency 'sinatra-contrib', '~> 2.0'

lib/gollum.rb

@@ -12,7 +12,7 @@ require 'rhino' if RUBY_PLATFORM == 'java'
 require File.expand_path('../gollum/uri_encode_component', __FILE__)
 
 module Gollum
-  VERSION = '5.1'
+  VERSION = '5.1.1'
 
   def self.assets_path
     ::File.expand_path('gollum/public', ::File.dirname(__FILE__))

lib/gollum/app.rb

@@ -355,6 +355,9 @@ module Precious
         if settings.wiki_options[:template_page] then
           temppage = wiki_page('/_Template')
           @template_page = (temppage.page != nil) ? temppage.page.raw_data : 'Template page option is set, but no /_Template page is present or committed.'
+          if defined?(Gollum::TemplateFilter)
+            @template_page = Gollum::TemplateFilter.filter(@template_page)
+          end
         end
         wikip = wiki_page(params[:splat].first)
         @name = wikip.name
@@ -418,7 +421,7 @@ module Precious
       post '/preview' do
         wiki           = wiki_new
         @name          = params[:page] ? strip_page_name(CGI.unescape(params[:page])) : 'Preview'
-        @page          = wiki.preview_page(@name, params[:content], params[:format])
+        @page          = wiki.preview_page(@name, wiki.normalize(params[:content]), params[:format])
         ['sidebar', 'header', 'footer'].each do |subpage|
           @page.send("set_#{subpage}".to_sym, params[subpage]) if params[subpage]
         end

lib/gollum/public/gollum/javascript/gollum.js.erb

@@ -345,7 +345,8 @@ $(document).ready(function() {
     var formData = new FormData($('#gollum-editor-form').get(0));
     var paths = window.location.pathname.split('/');
     var sectionAnchor = window.location.hash.substr(1);
-    formData.append('page', paths[ paths.length - 1 ] || '')
+    formData.append('page', paths[ paths.length - 1 ] || '');
+
     $.ajax({
       url: routePath('preview'),
       data: formData,