Fix rendering might result XSS attribute on self closing tag [Security Issue]

public/js/extra.js

@@ -551,6 +551,19 @@ export function postProcess (code) {
 }
 window.postProcess = postProcess
 
+var domevents = Object.getOwnPropertyNames(document).concat(Object.getOwnPropertyNames(Object.getPrototypeOf(Object.getPrototypeOf(document)))).concat(Object.getOwnPropertyNames(Object.getPrototypeOf(window))).filter(function (i) {
+  return !i.indexOf('on') && (document[i] === null || typeof document[i] === 'function')
+}).filter(function (elem, pos, self) {
+  return self.indexOf(elem) === pos
+})
+
+export function removeDOMEvents (view) {
+  for (var i = 0, l = domevents.length; i < l; i++) {
+    view.find('[' + domevents[i] + ']').removeAttr(domevents[i])
+  }
+}
+window.removeDOMEvents = removeDOMEvents
+
 function generateCleanHTML (view) {
   const src = view.clone()
   const eles = src.find('*')

public/js/index.js

@@ -42,6 +42,7 @@ import {
     deduplicatedHeaderId,
     exportToHTML,
     exportToRawHTML,
+    removeDOMEvents,
     finishView,
     generateToc,
     isValidURL,
@@ -3374,6 +3375,7 @@ function updateViewInner () {
     if (result && lastResult && result.length !== lastResult.length) { updateDataAttrs(result, ui.area.markdown.children().toArray()) }
     lastResult = $(result).clone()
   }
+  removeDOMEvents(ui.area.markdown)
   finishView(ui.area.markdown)
   autoLinkify(ui.area.markdown)
   deduplicatedHeaderId(ui.area.markdown)

public/js/pretty.js

@@ -10,6 +10,7 @@ require('highlight.js/styles/github-gist.css')
 import {
     autoLinkify,
     deduplicatedHeaderId,
+    removeDOMEvents,
     finishView,
     generateToc,
     md,
@@ -57,6 +58,7 @@ if (md.meta.type && md.meta.type === 'slide') {
 }
 $(document.body).show()
 
+removeDOMEvents(markdown)
 finishView(markdown)
 autoLinkify(markdown)
 deduplicatedHeaderId(markdown)

public/js/slide.js

@@ -4,7 +4,7 @@
 require('../css/extra.css')
 require('../css/site.css')
 
-import { md, updateLastChange, finishView } from './extra'
+import { md, updateLastChange, removeDOMEvents, finishView } from './extra'
 
 const body = $('.slides').text()
 
@@ -109,6 +109,7 @@ function renderSlide (event) {
   if (window.location.search.match(/print-pdf/gi)) {
     const slides = $('.slides')
     let title = document.title
+    removeDOMEvents(slides)
     finishView(slides)
     document.title = title
     Reveal.layout()
@@ -116,6 +117,7 @@ function renderSlide (event) {
     const markdown = $(event.currentSlide)
     if (!markdown.attr('data-rendered')) {
       let title = document.title
+      removeDOMEvents(markdown)
       finishView(markdown)
       markdown.attr('data-rendered', 'true')
       document.title = title