Fix slide might able to add unsafe attribute on section tag which cause XSS [Security Issue]

author: Wu Cheng-Han 2016-11-26 22:46:58 +0800
committer: Wu Cheng-Han 2016-11-26 22:46:58 +0800
commit: 79d5b2c37f99bcfc8e86e8045557f0a0557f93c4 (patch)
tree: 470870a8224e01660f5254841393a2297a49160e /public
parent: f86a9e0c4bbf852d2648430d5f7f3d837c40bd47 (diff)
2 files changed, 5 insertions, 1 deletions
diff --git a/public/js/render.js b/public/js/render.js
index 559530b0..a61fc8fb 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -1,5 +1,6 @@
 // allow some attributes
 var whiteListAttr = ['id', 'class', 'style'];
+window.whiteListAttr = whiteListAttr;
 // allow link starts with '.', '/' and custom protocol with '://'
 var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/;
 // allow data uri, from https://gist.github.com/bgrins/6194623
diff --git a/public/js/reveal-markdown.js b/public/js/reveal-markdown.js
index ca22e09c..3c3e1f5b 100644..100755
--- a/public/js/reveal-markdown.js
+++ b/public/js/reveal-markdown.js
@@ -286,7 +286,10 @@
 			nodeValue = nodeValue.substring( 0, matches.index ) + nodeValue.substring( mardownClassesInElementsRegex.lastIndex );
 			node.nodeValue = nodeValue;
 			while( matchesClass = mardownClassRegex.exec( classes ) ) {
-				elementTarget.setAttribute( matchesClass[1], matchesClass[2] );
+				var name = matchesClass[1];
+				var value = matchesClass[2];
+				if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1)
+					elementTarget.setAttribute( name, filterXSS.escapeAttrValue(value) );
 			}
 			return true;
 		}
author	Wu Cheng-Han	2016-11-26 22:46:58 +0800
committer	Wu Cheng-Han	2016-11-26 22:46:58 +0800
commit	79d5b2c37f99bcfc8e86e8045557f0a0557f93c4 (patch)
tree	470870a8224e01660f5254841393a2297a49160e /public
parent	f86a9e0c4bbf852d2648430d5f7f3d837c40bd47 (diff)