depau
/
HackMD
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix to escape html comment tag [Security Issue] 

Signed-off-by: Max Wu <jackymaxj@gmail.com>
This commit is contained in:
Max Wu 2018-12-28 16:42:55 +08:00
parent b89a35196a
commit 067cfe2d1e
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
public/js/render.js
View File

@ -45,7 +45,7 @@ var filterXSSOptions = {
// allow comment tag
if (tag === '!--') {
// do not filter its attributes
return html
return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
}
},
onTagAttr: function (tag, name, value, isWhiteAttr) {