summaryrefslogtreecommitdiff
path: root/public
diff options
context:
space:
mode:
authorWu Cheng-Han2016-11-26 22:56:03 +0800
committerWu Cheng-Han2016-11-26 22:56:03 +0800
commit8c10c393cec641753b33de101bdc3b2f1604f3ad (patch)
treed195a6f14ae4ed8a5965e111ad87382284b9914d /public
parent9d4ede4cffae47b9fd81ffbd0f2edff47c29e224 (diff)
Fix possible meta XSS in history list [Security Issue]
Diffstat (limited to 'public')
-rw-r--r--public/js/history.js5
1 files changed, 5 insertions, 0 deletions
diff --git a/public/js/history.js b/public/js/history.js
index 390e38eb..6972f24c 100644
--- a/public/js/history.js
+++ b/public/js/history.js
@@ -1,4 +1,5 @@
var store = require('store');
+var S = require('string');
var common = require('./common');
var checkIfAuth = common.checkIfAuth;
@@ -337,6 +338,10 @@ function parseToHistory(list, notehistory, callback) {
notehistory[i].timestamp = timestamp.valueOf();
notehistory[i].fromNow = timestamp.fromNow();
notehistory[i].time = timestamp.format('llll');
+ // prevent XSS
+ notehistory[i].text = S(notehistory[i].text).escapeHTML().s;
+ notehistory[i].tags = (notehistory[i].tags && notehistory[i].tags.length > 0) ? S(notehistory[i].tags).escapeHTML().s.split(',') : [];
+ // add to list
if (notehistory[i].id && list.get('id', notehistory[i].id).length == 0)
list.add(notehistory[i]);
}