From 8c10c393cec641753b33de101bdc3b2f1604f3ad Mon Sep 17 00:00:00 2001
From: Wu Cheng-Han <jacky_cute0808@hotmail.com>
Date: Sat, 26 Nov 2016 22:56:03 +0800
Subject: [PATCH] Fix possible meta XSS in history list [Security Issue]

---
 public/js/history.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/public/js/history.js b/public/js/history.js
index 390e38e..6972f24 100644
--- a/public/js/history.js
+++ b/public/js/history.js
@@ -1,4 +1,5 @@
 var store = require('store');
+var S = require('string');
 
 var common = require('./common');
 var checkIfAuth = common.checkIfAuth;
@@ -337,6 +338,10 @@ function parseToHistory(list, notehistory, callback) {
             notehistory[i].timestamp = timestamp.valueOf();
             notehistory[i].fromNow = timestamp.fromNow();
             notehistory[i].time = timestamp.format('llll');
+            // prevent XSS
+            notehistory[i].text = S(notehistory[i].text).escapeHTML().s;
+            notehistory[i].tags = (notehistory[i].tags && notehistory[i].tags.length > 0) ? S(notehistory[i].tags).escapeHTML().s.split(',') : [];
+            // add to list
             if (notehistory[i].id && list.get('id', notehistory[i].id).length == 0)
                 list.add(notehistory[i]);
         }