Fix to escape html comment tag [Security Issue]

Signed-off-by: Max Wu <jackymaxj@gmail.com>
This commit is contained in:
Max Wu 2018-12-28 16:42:55 +08:00
parent b89a35196a
commit 067cfe2d1e

View file

@ -45,7 +45,7 @@ var filterXSSOptions = {
// allow comment tag // allow comment tag
if (tag === '!--') { if (tag === '!--') {
// do not filter its attributes // do not filter its attributes
return html return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
} }
}, },
onTagAttr: function (tag, name, value, isWhiteAttr) { onTagAttr: function (tag, name, value, isWhiteAttr) {