diff options
Diffstat (limited to 'public')
| -rw-r--r-- | public/js/extra.js | 9 | ||||
| -rw-r--r-- | public/js/lib/editor/index.js | 2 | ||||
| -rw-r--r-- | public/js/render.js | 2 | ||||
| -rwxr-xr-x | public/js/reveal-markdown.js | 2 | ||||
| -rw-r--r-- | public/js/slide.js | 3 | ||||
| -rw-r--r-- | public/views/index/body.ejs | 6 |
6 files changed, 18 insertions, 6 deletions
diff --git a/public/js/extra.js b/public/js/extra.js index bf388139..a1a9dbb6 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -559,6 +559,15 @@ export function finishView (view) { // only static transform should be here export function postProcess (code) { const result = $(`<div>${code}</div>`) + // process style tags + result.find('style').each((key, value) => { + let html = $(value).html() + // unescape > symbel inside the style tags + html = html.replace(/>/g, '>') + // remove css @import to prevent XSS + html = html.replace(/@import url\(([^)]*)\);?/gi, '') + $(value).html(html) + }) // link should open in new window or tab result.find('a:not([href^="#"]):not([target])').attr('target', '_blank') // update continue line numbers diff --git a/public/js/lib/editor/index.js b/public/js/lib/editor/index.js index 2991998b..33c1e0d4 100644 --- a/public/js/lib/editor/index.js +++ b/public/js/lib/editor/index.js @@ -74,6 +74,8 @@ export default class Editor { }, 'Cmd-Left': 'goLineLeftSmart', 'Cmd-Right': 'goLineRight', + 'Home': 'goLineLeftSmart', + 'End': 'goLineRight', 'Ctrl-C': function (cm) { if (!isMac && cm.getOption('keyMap').substr(0, 3) === 'vim') { document.execCommand('copy') diff --git a/public/js/render.js b/public/js/render.js index 88a05bde..e2574b5f 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -27,7 +27,7 @@ var filterXSSOptions = { whiteList: whiteList, escapeHtml: function (html) { // allow html comment in multiple lines - return html.replace(/<(.*?)>/g, '<$1>') + return html.replace(/<(?!!--)/g, '<').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '>').replace(/__HTML_COMMENT_END__/g, '-->') }, onIgnoreTag: function (tag, html, options) { // allow comment tag diff --git a/public/js/reveal-markdown.js b/public/js/reveal-markdown.js index 94f6fb91..d15b5ebd 100755 --- a/public/js/reveal-markdown.js +++ b/public/js/reveal-markdown.js @@ -320,7 +320,7 @@ import { md } from './extra' var notes = section.querySelector('aside.notes') var markdown = getMarkdownFromSlide(section) - + markdown = markdown.replace(/</g, '<').replace(/>/g, '>') var rendered = md.render(markdown) rendered = preventXSS(rendered) var result = window.postProcess(rendered) diff --git a/public/js/slide.js b/public/js/slide.js index 293ebfe2..59a352ec 100644 --- a/public/js/slide.js +++ b/public/js/slide.js @@ -4,9 +4,10 @@ require('../css/extra.css') require('../css/site.css') +import { preventXSS } from './render' import { md, updateLastChange, removeDOMEvents, finishView } from './extra' -const body = $('.slides').text() +const body = preventXSS($('.slides').text()) window.createtime = window.lastchangeui.time.attr('data-createtime') window.lastchangetime = window.lastchangeui.time.attr('data-updatetime') diff --git a/public/views/index/body.ejs b/public/views/index/body.ejs index 84300539..911742ac 100644 --- a/public/views/index/body.ejs +++ b/public/views/index/body.ejs @@ -13,14 +13,14 @@ </li> <div class="ui-signin" style="float: right; margin-top: 8px;<% if(signin) { %> display: none;<% } %>"> <% if(allowAnonymous) { %> - <a type="button" href="<%- url %>/new" class="btn btn-sm btn-link"><i class="fa fa-plus"></i> <%= __('New guest note') %></a> + <a type="button" href="<%- url %>/new" class="btn btn-sm btn-primary"><i class="fa fa-plus"></i> <%= __('New guest note') %></a> <% } %> <% if(facebook || twitter || github || gitlab || dropbox || google || ldap || email) { %> <button class="btn btn-sm btn-success ui-signin" data-toggle="modal" data-target=".signin-modal"><%= __('Sign In') %></button> <% } %> </div> <div class="ui-signout" style="float: right; margin-top: 8px;<% if(!signin) { %> display: none;<% } %>"> - <a type="button" href="<%- url %>/new" class="btn btn-sm btn-link"><i class="fa fa-plus"></i> <%= __('New note') %></a> + <a type="button" href="<%- url %>/new" class="btn btn-sm btn-primary"><i class="fa fa-plus"></i> <%= __('New note') %></a> <span class="ui-profile dropdown pull-right"> <button id="profileLabel" class="btn btn-sm btn-link ui-profile-label" style="padding-right: 0;" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <img class="ui-avatar" width="20" height="20"><span class="hidden-xs hidden-sm"> <span class="ui-name"></span></span> <i class="fa fa-caret-down"></i> @@ -175,4 +175,4 @@ </div> </div> </div> -<%- include ../shared/signin-modal %>
\ No newline at end of file +<%- include ../shared/signin-modal %> |