depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix unclosed tags might cause XSS [Security Issue]

Browse source
This commit is contained in:
Wu Cheng-Han 2017-09-27 18:20:04 +08:00
parent d1d6d5810b
commit 9b00afb863
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
public/js/render.js
View file

@ -27,7 +27,7 @@ var filterXSSOptions = {
whiteList: whiteList,
escapeHtml: function (html) {
// allow html comment in multiple lines
return html.replace(/<(.*?)>/g, '&lt;$1&gt;')
return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
},
onIgnoreTag: function (tag, html, options) {
// allow comment tag