From 9b00afb863e475e9a72d06d61591535bd38d2d3e Mon Sep 17 00:00:00 2001
From: Wu Cheng-Han <jacky_cute0808@hotmail.com>
Date: Wed, 27 Sep 2017 18:20:04 +0800
Subject: [PATCH] Fix unclosed tags might cause XSS [Security Issue]

---
 public/js/render.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/js/render.js b/public/js/render.js
index 88a05bd..e2574b5 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -27,7 +27,7 @@ var filterXSSOptions = {
   whiteList: whiteList,
   escapeHtml: function (html) {
     // allow html comment in multiple lines
-    return html.replace(/<(.*?)>/g, '&lt;$1&gt;')
+    return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
   },
   onIgnoreTag: function (tag, html, options) {
     // allow comment tag