depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix XSS HTML replace might get wrong on the HTML comments in the code tags

Browse source
This commit is contained in:
Cheng-Han, Wu 2016-04-20 18:10:43 +08:00
parent 0fb70a1487
commit edc3a31dfd
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
public/js/render.js
View file

@ -3,6 +3,10 @@ var whiteListAttr = ['id', 'class', 'style'];
var filterXSSOptions = { var filterXSSOptions = {
allowCommentTag: true, allowCommentTag: true,
escapeHtml: function (html) {
// to allow html comment in multiple lines
return html.replace(/<(.*?)>/g, '&lt;$1&gt;');
},
onIgnoreTag: function (tag, html, options) { onIgnoreTag: function (tag, html, options) {
// allow style in html // allow style in html
if (whiteListTag.indexOf(tag) !== -1) { if (whiteListTag.indexOf(tag) !== -1) {