Prevent XSS in markdown rendering

author: Cheng-Han, Wu 2016-02-11 02:36:52 -0600
committer: Cheng-Han, Wu 2016-02-11 02:36:52 -0600
commit: 6700f033ab2c2e6f5ab1293025d3485ecc37c321 (patch)
tree: 102e3028a49d938e5c5d782568d9fbbf1937a782 /lib
parent: fdb9c47354fd370f6e69c61f2fec4a552450a62a (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/response.js b/lib/response.js
index 07cb5ba9..c12c4caa 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -11,6 +11,7 @@ var shortId = require('shortid');
 var metaMarked = require('meta-marked');
 var querystring = require('querystring');
 var request = require('request');
+var xss = require('xss');
 
 //core
 var config = require("../config.js");
@@ -227,6 +228,7 @@ function showPublishNote(req, res, next) {
                         //na
                     }
                     var updatetime = notedata.update_time;
+                    body = xss(body); // prevent xss
                     var text = S(body).escapeHTML().s;
                     var title = notedata.title;
                     var decodedTitle = LZString.decompressFromBase64(title);
@@ -610,6 +612,7 @@ function showPublishSlide(req, res, next) {
                     var decodedTitle = LZString.decompressFromBase64(title);
                     if (decodedTitle) title = decodedTitle;
                     title = Note.generateWebTitle(title);
+                    body = xss(body); // prevent xss
                     var text = S(body).escapeHTML().s;
                     render(res, title, text);
                 });
author	Cheng-Han, Wu	2016-02-11 02:36:52 -0600
committer	Cheng-Han, Wu	2016-02-11 02:36:52 -0600
commit	6700f033ab2c2e6f5ab1293025d3485ecc37c321 (patch)
tree	102e3028a49d938e5c5d782568d9fbbf1937a782 /lib
parent	fdb9c47354fd370f6e69c61f2fec4a552450a62a (diff)