Fix unclosed tags might cause XSS [Security Issue]

This commit is contained in:
Wu Cheng-Han 2017-09-27 18:20:04 +08:00
parent d1d6d5810b
commit 9b00afb863

View file

@ -27,7 +27,7 @@ var filterXSSOptions = {
whiteList: whiteList,
escapeHtml: function (html) {
// allow html comment in multiple lines
return html.replace(/<(.*?)>/g, '&lt;$1&gt;')
return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
},
onIgnoreTag: function (tag, html, options) {
// allow comment tag