mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-13 14:44:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Prevent XSS in markdown rendering

Browse source
This commit is contained in:
Cheng-Han, Wu 2016-02-11 02:36:52 -06:00
parent fdb9c47354
commit 6700f033ab
5 changed files with 11 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
lib/response.js
View file

@ -11,6 +11,7 @@ var shortId = require('shortid');
var metaMarked = require('meta-marked');
var querystring = require('querystring');
var request = require('request');
var xss = require('xss');
//core
var config = require("../config.js");
@ -227,6 +228,7 @@ function showPublishNote(req, res, next) {
//na
}
var updatetime = notedata.update_time;
body = xss(body); // prevent xss
var text = S(body).escapeHTML().s;
var title = notedata.title;
var decodedTitle = LZString.decompressFromBase64(title);
@ -610,6 +612,7 @@ function showPublishSlide(req, res, next) {
var decodedTitle = LZString.decompressFromBase64(title);
if (decodedTitle) title = decodedTitle;
title = Note.generateWebTitle(title);
body = xss(body); // prevent xss
var text = S(body).escapeHTML().s;
render(res, title, text);
});