Fix to sanitize disqus shortnames to remove slashes [Security Issue]

Signed-off-by: Max Wu <jackymaxj@gmail.com>
author: Max Wu 2018-12-28 16:39:13 +0800
committer: GitHub 2018-12-28 16:39:13 +0800
commit: b89a35196a7a0aa5ad25f942b8d7bd4ca392eece (patch)
tree: 5b4c53bad58383f78e0abb9612bd38270205af70 /public/views
parent: f9cc2ff0ef56aa5f0a655f9209321460748ba621 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/public/views/shared/disqus.ejs b/public/views/shared/disqus.ejs
index 840d1e38..2311d3fe 100644
--- a/public/views/shared/disqus.ejs
+++ b/public/views/shared/disqus.ejs
@@ -5,7 +5,7 @@ var disqus_config = function () {
 };
 (function() {
     var d = document, s = d.createElement('script');
-    s.src = 'https://<%= disqus %>.disqus.com/embed.js';
+    s.src = 'https://<%= disqus.replace(/[^A-Za-z0-9]+/g, '') %>.disqus.com/embed.js';
     s.setAttribute('data-timestamp', +new Date());
     (d.head || d.body).appendChild(s);
 })();
author	Max Wu	2018-12-28 16:39:13 +0800
committer	GitHub	2018-12-28 16:39:13 +0800
commit	b89a35196a7a0aa5ad25f942b8d7bd4ca392eece (patch)
tree	5b4c53bad58383f78e0abb9612bd38270205af70 /public/views
parent	f9cc2ff0ef56aa5f0a655f9209321460748ba621 (diff)