Prevent XSS in markdown rendering

author: Cheng-Han, Wu 2016-02-11 02:36:52 -0600
committer: Cheng-Han, Wu 2016-02-11 02:36:52 -0600
commit: 6700f033ab2c2e6f5ab1293025d3485ecc37c321 (patch)
tree: 102e3028a49d938e5c5d782568d9fbbf1937a782 /public
parent: fdb9c47354fd370f6e69c61f2fec4a552450a62a (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/public/js/index.js b/public/js/index.js
index b4e33ae3..ad77e0d3 100644
--- a/public/js/index.js
+++ b/public/js/index.js
@@ -2131,6 +2131,7 @@ var lastResult = null;
 function updateViewInner() {
     if (currentMode == modeType.edit || !isDirty) return;
     var value = editor.getValue();
+    value = filterXSS(value); // prevent xss
     md.meta = {};
     md.render(value); //only for get meta
     parseMeta(md, ui.area.markdown, $('#toc'), $('#toc-affix'));
diff --git a/public/views/foot.ejs b/public/views/foot.ejs
index b0006f7b..3a5ef145 100644
--- a/public/views/foot.ejs
+++ b/public/views/foot.ejs
@@ -29,6 +29,7 @@
 <script src="/vendor/remarkable-regex.js" defer></script>
 <script src="/vendor/gist-embed.js" defer></script>
 <script src="/vendor/lz-string/libs/lz-string.min.js" defer></script>
+<script src="/vendor/xss/dist/xss.min.js" defer></script>
 <script src="/vendor/string.min.js" defer></script>
 <script src="/vendor/highlight-js/highlight.min.js" defer></script>
 <script src="/vendor/js.cookie.js" defer></script>
author	Cheng-Han, Wu	2016-02-11 02:36:52 -0600
committer	Cheng-Han, Wu	2016-02-11 02:36:52 -0600
commit	6700f033ab2c2e6f5ab1293025d3485ecc37c321 (patch)
tree	102e3028a49d938e5c5d782568d9fbbf1937a782 /public
parent	fdb9c47354fd370f6e69c61f2fec4a552450a62a (diff)