3 files changed, 7 insertions, 2 deletions

diff --git a/public/js/lib/editor/index.js b/public/js/lib/editor/index.js
index 2991998b..33c1e0d4 100644
--- a/public/js/lib/editor/index.js
+++ b/public/js/lib/editor/index.js
@@ -74,6 +74,8 @@ export default class Editor {
       },
       'Cmd-Left': 'goLineLeftSmart',
       'Cmd-Right': 'goLineRight',
+      'Home': 'goLineLeftSmart',
+      'End': 'goLineRight',
       'Ctrl-C': function (cm) {
         if (!isMac && cm.getOption('keyMap').substr(0, 3) === 'vim') {
           document.execCommand('copy')
diff --git a/public/js/render.js b/public/js/render.js
index 88a05bde..e2574b5f 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -27,7 +27,7 @@ var filterXSSOptions = {
   whiteList: whiteList,
   escapeHtml: function (html) {
     // allow html comment in multiple lines
-    return html.replace(/<(.*?)>/g, '&lt;$1&gt;')
+    return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
   },
   onIgnoreTag: function (tag, html, options) {
     // allow comment tag
diff --git a/public/js/slide.js b/public/js/slide.js
index 293ebfe2..b88ac022 100644
--- a/public/js/slide.js
+++ b/public/js/slide.js
@@ -4,9 +4,10 @@
 require('../css/extra.css')
 require('../css/site.css')
 
+import { preventXSS } from './render'
 import { md, updateLastChange, removeDOMEvents, finishView } from './extra'
 
-const body = $('.slides').text()
+const body = preventXSS($('.slides').text())
 
 window.createtime = window.lastchangeui.time.attr('data-createtime')
 window.lastchangetime = window.lastchangeui.time.attr('data-updatetime')
@@ -54,6 +55,8 @@ const slideOptions = {
 const slides = RevealMarkdown.slidify(body, slideOptions)
 $('.slides').html(slides)
 RevealMarkdown.initialize()
+// fix < and > were doubly escaped
+$('.slides')[0].innerHTML = $('.slides')[0].innerHTML.replace(/&amp;lt;/g, '&lt;').replace(/&amp;gt;/g, '&gt;')
 removeDOMEvents($('.slides'))
 $('.slides').show()