summaryrefslogtreecommitdiff
path: root/public
diff options
context:
space:
mode:
authorChristoph (Sheogorath) Kern2018-12-29 21:52:03 +0100
committerGitHub2018-12-29 21:52:03 +0100
commitdba9575c94743a4efd65ff3db0d8748161ca13f0 (patch)
treeb5aa48f2321cc793c3d389864c89a006401ef472 /public
parentf9cc2ff0ef56aa5f0a655f9209321460748ba621 (diff)
parent067cfe2d1eedc5a58e5548785858e38fbaa0e84b (diff)
Merge pull request #1112 from hackmdio/fix-XSS-issues
Fix some XSS issues
Diffstat (limited to 'public')
-rw-r--r--public/js/render.js2
-rw-r--r--public/views/shared/disqus.ejs2
2 files changed, 2 insertions, 2 deletions
diff --git a/public/js/render.js b/public/js/render.js
index ff5e2bf2..87e5cfdf 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -45,7 +45,7 @@ var filterXSSOptions = {
// allow comment tag
if (tag === '!--') {
// do not filter its attributes
- return html
+ return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
}
},
onTagAttr: function (tag, name, value, isWhiteAttr) {
diff --git a/public/views/shared/disqus.ejs b/public/views/shared/disqus.ejs
index 840d1e38..2311d3fe 100644
--- a/public/views/shared/disqus.ejs
+++ b/public/views/shared/disqus.ejs
@@ -5,7 +5,7 @@ var disqus_config = function () {
};
(function() {
var d = document, s = d.createElement('script');
- s.src = 'https://<%= disqus %>.disqus.com/embed.js';
+ s.src = 'https://<%= disqus.replace(/[^A-Za-z0-9]+/g, '') %>.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();