diff options
author | Wu Cheng-Han | 2016-11-26 22:56:03 +0800 |
---|---|---|
committer | Wu Cheng-Han | 2016-11-26 22:56:03 +0800 |
commit | 8c10c393cec641753b33de101bdc3b2f1604f3ad (patch) | |
tree | d195a6f14ae4ed8a5965e111ad87382284b9914d | |
parent | 9d4ede4cffae47b9fd81ffbd0f2edff47c29e224 (diff) |
Fix possible meta XSS in history list [Security Issue]
-rw-r--r-- | public/js/history.js | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/public/js/history.js b/public/js/history.js index 390e38eb..6972f24c 100644 --- a/public/js/history.js +++ b/public/js/history.js @@ -1,4 +1,5 @@ var store = require('store'); +var S = require('string'); var common = require('./common'); var checkIfAuth = common.checkIfAuth; @@ -337,6 +338,10 @@ function parseToHistory(list, notehistory, callback) { notehistory[i].timestamp = timestamp.valueOf(); notehistory[i].fromNow = timestamp.fromNow(); notehistory[i].time = timestamp.format('llll'); + // prevent XSS + notehistory[i].text = S(notehistory[i].text).escapeHTML().s; + notehistory[i].tags = (notehistory[i].tags && notehistory[i].tags.length > 0) ? S(notehistory[i].tags).escapeHTML().s.split(',') : []; + // add to list if (notehistory[i].id && list.get('id', notehistory[i].id).length == 0) list.add(notehistory[i]); } |