summaryrefslogtreecommitdiff
path: root/public/js
diff options
context:
space:
mode:
authorWu Cheng-Han2017-09-27 18:20:04 +0800
committerWu Cheng-Han2017-09-27 18:20:04 +0800
commit9b00afb863e475e9a72d06d61591535bd38d2d3e (patch)
tree318fb410ebb54bc17740eb6992ba37cdb03bb929 /public/js
parentd1d6d5810b12645ddb02275ce0c2498b2189a8a0 (diff)
Fix unclosed tags might cause XSS [Security Issue]
Diffstat (limited to 'public/js')
-rw-r--r--public/js/render.js2
1 files changed, 1 insertions, 1 deletions
diff --git a/public/js/render.js b/public/js/render.js
index 88a05bde..e2574b5f 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -27,7 +27,7 @@ var filterXSSOptions = {
whiteList: whiteList,
escapeHtml: function (html) {
// allow html comment in multiple lines
- return html.replace(/<(.*?)>/g, '&lt;$1&gt;')
+ return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
},
onIgnoreTag: function (tag, html, options) {
// allow comment tag