diff options
| author | Cheng-Han, Wu | 2016-04-20 18:10:43 +0800 |
|---|---|---|
| committer | Cheng-Han, Wu | 2016-04-20 18:10:43 +0800 |
| commit | edc3a31dfdb03e910d7355144280e281eeb582d5 (patch) | |
| tree | 1f393363ed973bb9594128590701a685218af48d /public | |
| parent | 0fb70a1487f6c2ce612c372f12aaf157078a478f (diff) | |
Fix XSS HTML replace might get wrong on the HTML comments in the code tags
Diffstat (limited to '')
| -rw-r--r-- | public/js/render.js | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/public/js/render.js b/public/js/render.js index 9c1fa273..5c2b017a 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -3,6 +3,10 @@ var whiteListAttr = ['id', 'class', 'style']; var filterXSSOptions = { allowCommentTag: true, + escapeHtml: function (html) { + // to allow html comment in multiple lines + return html.replace(/<(.*?)>/g, '<$1>'); + }, onIgnoreTag: function (tag, html, options) { // allow style in html if (whiteListTag.indexOf(tag) !== -1) { |