depau/HackMD
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix slide might trigger script when processing markdown which cause XSS [Security Issue]

Browse source
This commit is contained in:
Wu Cheng-Han 2016-11-26 22:46:08 +08:00
parent 9383df59c9
commit f86a9e0c4b
3 changed files with 12 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
lib/response.js
View file

@ -16,15 +16,6 @@ var config = require("./config.js");
var logger = require("./logger.js"); var logger = require("./logger.js");
var models = require("./models"); var models = require("./models");
//slides
var md = require('reveal.js/plugin/markdown/markdown');
//reveal.js
var slideOptions = {
separator: '^(\r\n?|\n)---(\r\n?|\n)$',
verticalSeparator: '^(\r\n?|\n)----(\r\n?|\n)$'
};
//public //public
var response = { var response = {
errorForbidden: function (res) { errorForbidden: function (res) {
@ -584,7 +575,6 @@ function showPublishSlide(req, res, next) {
var text = S(body).escapeHTML().s; var text = S(body).escapeHTML().s;
var title = models.Note.decodeTitle(note.title); var title = models.Note.decodeTitle(note.title);
title = models.Note.generateWebTitle(meta.title || title); title = models.Note.generateWebTitle(meta.title || title);
var slides = md.slidify(text, slideOptions);
var origin = config.serverurl; var origin = config.serverurl;
var data = { var data = {
title: title, title: title,
@ -593,7 +583,7 @@ function showPublishSlide(req, res, next) {
createtime: createtime, createtime: createtime,
updatetime: updatetime, updatetime: updatetime,
url: origin, url: origin,
slides: slides, body: text,
meta: JSON.stringify(obj.meta || {}), meta: JSON.stringify(obj.meta || {}),
useCDN: config.usecdn, useCDN: config.usecdn,
owner: note.owner ? note.owner.id : null, owner: note.owner ? note.owner.id : null,

14
public/js/slide.js
View file

@ -12,8 +12,7 @@ var finishView = extraModule.finishView;
var preventXSS = require('./render').preventXSS; var preventXSS = require('./render').preventXSS;
var body = $(".slides").html(); var body = $(".slides").text();
$(".slides").html(S(body).unescapeHTML().s);
createtime = lastchangeui.time.attr('data-createtime'); createtime = lastchangeui.time.attr('data-createtime');
lastchangetime = lastchangeui.time.attr('data-updatetime'); lastchangetime = lastchangeui.time.attr('data-updatetime');
@ -47,8 +46,15 @@ var deps = [{
} }
}, { }, {
src: serverurl + '/js/reveal-markdown.js', src: serverurl + '/js/reveal-markdown.js',
condition: function() { callback: function () {
return !!document.querySelector('[data-markdown]'); var slideOptions = {
separator: '^(\r\n?|\n)---(\r\n?|\n)$',
verticalSeparator: '^(\r\n?|\n)----(\r\n?|\n)$'
};
var slides = RevealMarkdown.slidify(body, slideOptions);
$(".slides").html(slides);
RevealMarkdown.initialize();
$(".slides").show();
} }
}, { }, {
src: serverurl + '/vendor/reveal.js/plugin/notes/notes.js', src: serverurl + '/vendor/reveal.js/plugin/notes/notes.js',

2
public/views/slide.ejs
View file

@ -55,7 +55,7 @@
<body> <body>
<div class="container"> <div class="container">
<div class="reveal"> <div class="reveal">
<div class="slides"><%- slides %></div> <div class="slides" style="display: none;"><%- body %></div>
</div> </div>
<div id="meta" style="display: none;"><%- meta %></div> <div id="meta" style="display: none;"><%- meta %></div>