From 6700f033ab2c2e6f5ab1293025d3485ecc37c321 Mon Sep 17 00:00:00 2001
From: Cheng-Han, Wu
Date: Thu, 11 Feb 2016 02:36:52 -0600
Subject: Prevent XSS in markdown rendering

---
 lib/response.js | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'lib')

diff --git a/lib/response.js b/lib/response.js
index 07cb5ba9..c12c4caa 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -11,6 +11,7 @@ var shortId = require('shortid');
 var metaMarked = require('meta-marked');
 var querystring = require('querystring');
 var request = require('request');
+var xss = require('xss');
 
 //core
 var config = require("../config.js");
@@ -227,6 +228,7 @@ function showPublishNote(req, res, next) {
                         //na
                     }
                     var updatetime = notedata.update_time;
+                    body = xss(body); // prevent xss
                     var text = S(body).escapeHTML().s;
                     var title = notedata.title;
                     var decodedTitle = LZString.decompressFromBase64(title);
@@ -610,6 +612,7 @@ function showPublishSlide(req, res, next) {
                     var decodedTitle = LZString.decompressFromBase64(title);
                     if (decodedTitle) title = decodedTitle;
                     title = Note.generateWebTitle(title);
+                    body = xss(body); // prevent xss
                     var text = S(body).escapeHTML().s;
                     render(res, title, text);
                 });
-- 
cgit v1.2.3