Fix possible XSS in yaml-metadata and turn using ejs escape syntax than external lib [Security Issue]

author: Wu Cheng-Han 2016-11-26 22:55:31 +0800
committer: Wu Cheng-Han 2016-11-26 22:55:31 +0800
commit: 9d4ede4cffae47b9fd81ffbd0f2edff47c29e224 (patch)
tree: 93f56b484e527a0e8b0a95c768925876e70d8f1f /lib/response.js
parent: b43e63dd21584c75ab7e0be6fe6331857f09c026 (diff)
1 files changed, 2 insertions, 5 deletions
diff --git a/lib/response.js b/lib/response.js
index 1a45d63a..b2d13988 100755
--- a/lib/response.js
+++ b/lib/response.js
@@ -186,7 +186,6 @@ function showPublishNote(req, res, next) {
             if (!meta) meta = {};
             var createtime = note.createdAt;
             var updatetime = note.lastchangeAt;
-            var text = S(body).escapeHTML().s;
             var title = models.Note.decodeTitle(note.title);
             title = models.Note.generateWebTitle(meta.title || title);
             var origin = config.serverurl;
@@ -197,7 +196,7 @@ function showPublishNote(req, res, next) {
                 createtime: createtime,
                 updatetime: updatetime,
                 url: origin,
-                body: text,
+                body: body,
                 useCDN: config.usecdn,
                 owner: note.owner ? note.owner.id : null,
                 ownerprofile: note.owner ? models.User.parseProfile(note.owner.profile) : null,
@@ -258,7 +257,6 @@ function actionInfo(req, res, note) {
     if (!meta) meta = {};
     var createtime = note.createdAt;
     var updatetime = note.lastchangeAt;
-    var text = S(body).escapeHTML().s;
     var title = models.Note.decodeTitle(note.title);
     var data = {
         title: meta.title || title,
@@ -572,7 +570,6 @@ function showPublishSlide(req, res, next) {
             if (!meta) meta = {};
             var createtime = note.createdAt;
             var updatetime = note.lastchangeAt;
-            var text = S(body).escapeHTML().s;
             var title = models.Note.decodeTitle(note.title);
             title = models.Note.generateWebTitle(meta.title || title);
             var origin = config.serverurl;
@@ -583,7 +580,7 @@ function showPublishSlide(req, res, next) {
                 createtime: createtime,
                 updatetime: updatetime,
                 url: origin,
-                body: text,
+                body: body,
                 meta: JSON.stringify(obj.meta || {}),
                 useCDN: config.usecdn,
                 owner: note.owner ? note.owner.id : null,
author	Wu Cheng-Han	2016-11-26 22:55:31 +0800
committer	Wu Cheng-Han	2016-11-26 22:55:31 +0800
commit	9d4ede4cffae47b9fd81ffbd0f2edff47c29e224 (patch)
tree	93f56b484e527a0e8b0a95c768925876e70d8f1f /lib/response.js
parent	b43e63dd21584c75ab7e0be6fe6331857f09c026 (diff)