Fix rendering might result XSS attribute on self closing tag [Security Issue]
This commit is contained in:
Wu Cheng-Han
parent
edb1b4aa0a
commit
f491cdabc1
4 changed files with 20 additions and 1 deletions
|
|
@ -551,6 +551,19 @@ export function postProcess (code) {
|
|||
}
|
||||
window.postProcess = postProcess
|
||||
|
||||
var domevents = Object.getOwnPropertyNames(document).concat(Object.getOwnPropertyNames(Object.getPrototypeOf(Object.getPrototypeOf(document)))).concat(Object.getOwnPropertyNames(Object.getPrototypeOf(window))).filter(function (i) {
|
||||
return !i.indexOf('on') && (document[i] === null || typeof document[i] === 'function')
|
||||
}).filter(function (elem, pos, self) {
|
||||
return self.indexOf(elem) === pos
|
||||
})
|
||||
|
||||
export function removeDOMEvents (view) {
|
||||
for (var i = 0, l = domevents.length; i < l; i++) {
|
||||
view.find('[' + domevents[i] + ']').removeAttr(domevents[i])
|
||||
}
|
||||
}
|
||||
window.removeDOMEvents = removeDOMEvents
|
||||
|
||||
function generateCleanHTML (view) {
|
||||
const src = view.clone()
|
||||
const eles = src.find('*')
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@ import {
|
|||
deduplicatedHeaderId,
|
||||
exportToHTML,
|
||||
exportToRawHTML,
|
||||
removeDOMEvents,
|
||||
finishView,
|
||||
generateToc,
|
||||
isValidURL,
|
||||
|
|
@ -3374,6 +3375,7 @@ function updateViewInner () {
|
|||
if (result && lastResult && result.length !== lastResult.length) { updateDataAttrs(result, ui.area.markdown.children().toArray()) }
|
||||
lastResult = $(result).clone()
|
||||
}
|
||||
removeDOMEvents(ui.area.markdown)
|
||||
finishView(ui.area.markdown)
|
||||
autoLinkify(ui.area.markdown)
|
||||
deduplicatedHeaderId(ui.area.markdown)
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ require('highlight.js/styles/github-gist.css')
|
|||
import {
|
||||
autoLinkify,
|
||||
deduplicatedHeaderId,
|
||||
removeDOMEvents,
|
||||
finishView,
|
||||
generateToc,
|
||||
md,
|
||||
|
|
@ -57,6 +58,7 @@ if (md.meta.type && md.meta.type === 'slide') {
|
|||
}
|
||||
$(document.body).show()
|
||||
|
||||
removeDOMEvents(markdown)
|
||||
finishView(markdown)
|
||||
autoLinkify(markdown)
|
||||
deduplicatedHeaderId(markdown)
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
require('../css/extra.css')
|
||||
require('../css/site.css')
|
||||
|
||||
import { md, updateLastChange, finishView } from './extra'
|
||||
import { md, updateLastChange, removeDOMEvents, finishView } from './extra'
|
||||
|
||||
const body = $('.slides').text()
|
||||
|
||||
|
|
@ -109,6 +109,7 @@ function renderSlide (event) {
|
|||
if (window.location.search.match(/print-pdf/gi)) {
|
||||
const slides = $('.slides')
|
||||
let title = document.title
|
||||
removeDOMEvents(slides)
|
||||
finishView(slides)
|
||||
document.title = title
|
||||
Reveal.layout()
|
||||
|
|
@ -116,6 +117,7 @@ function renderSlide (event) {
|
|||
const markdown = $(event.currentSlide)
|
||||
if (!markdown.attr('data-rendered')) {
|
||||
let title = document.title
|
||||
removeDOMEvents(markdown)
|
||||
finishView(markdown)
|
||||
markdown.attr('data-rendered', 'true')
|
||||
document.title = title
|
||||
|
|
|
|||
Loading…
Reference in a new issue