Fix slide might able to add unsafe attribute on section tag which cause XSS [Security Issue]

This commit is contained in:
Wu Cheng-Han 2016-11-26 22:46:58 +08:00
parent f86a9e0c4b
commit 79d5b2c37f
2 changed files with 5 additions and 1 deletions

View file

@ -1,5 +1,6 @@
// allow some attributes // allow some attributes
var whiteListAttr = ['id', 'class', 'style']; var whiteListAttr = ['id', 'class', 'style'];
window.whiteListAttr = whiteListAttr;
// allow link starts with '.', '/' and custom protocol with '://' // allow link starts with '.', '/' and custom protocol with '://'
var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/; var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/;
// allow data uri, from https://gist.github.com/bgrins/6194623 // allow data uri, from https://gist.github.com/bgrins/6194623

5
public/js/reveal-markdown.js Normal file → Executable file
View file

@ -286,7 +286,10 @@
nodeValue = nodeValue.substring( 0, matches.index ) + nodeValue.substring( mardownClassesInElementsRegex.lastIndex ); nodeValue = nodeValue.substring( 0, matches.index ) + nodeValue.substring( mardownClassesInElementsRegex.lastIndex );
node.nodeValue = nodeValue; node.nodeValue = nodeValue;
while( matchesClass = mardownClassRegex.exec( classes ) ) { while( matchesClass = mardownClassRegex.exec( classes ) ) {
elementTarget.setAttribute( matchesClass[1], matchesClass[2] ); var name = matchesClass[1];
var value = matchesClass[2];
if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1)
elementTarget.setAttribute( name, filterXSS.escapeAttrValue(value) );
} }
return true; return true;
} }