Fix possible meta XSS in history list [Security Issue]

author: Wu Cheng-Han 2016-11-26 22:56:03 +0800
committer: Wu Cheng-Han 2016-11-26 22:56:03 +0800
commit: 8c10c393cec641753b33de101bdc3b2f1604f3ad (patch)
tree: d195a6f14ae4ed8a5965e111ad87382284b9914d /public/js/history.js
parent: 9d4ede4cffae47b9fd81ffbd0f2edff47c29e224 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/public/js/history.js b/public/js/history.js
index 390e38eb..6972f24c 100644
--- a/public/js/history.js
+++ b/public/js/history.js
@@ -1,4 +1,5 @@
 var store = require('store');
+var S = require('string');
 
 var common = require('./common');
 var checkIfAuth = common.checkIfAuth;
@@ -337,6 +338,10 @@ function parseToHistory(list, notehistory, callback) {
             notehistory[i].timestamp = timestamp.valueOf();
             notehistory[i].fromNow = timestamp.fromNow();
             notehistory[i].time = timestamp.format('llll');
+            // prevent XSS
+            notehistory[i].text = S(notehistory[i].text).escapeHTML().s;
+            notehistory[i].tags = (notehistory[i].tags && notehistory[i].tags.length > 0) ? S(notehistory[i].tags).escapeHTML().s.split(',') : [];
+            // add to list
             if (notehistory[i].id && list.get('id', notehistory[i].id).length == 0)
                 list.add(notehistory[i]);
         }
author	Wu Cheng-Han	2016-11-26 22:56:03 +0800
committer	Wu Cheng-Han	2016-11-26 22:56:03 +0800
commit	8c10c393cec641753b33de101bdc3b2f1604f3ad (patch)
tree	d195a6f14ae4ed8a5965e111ad87382284b9914d /public/js/history.js
parent	9d4ede4cffae47b9fd81ffbd0f2edff47c29e224 (diff)