From 9d4ede4cffae47b9fd81ffbd0f2edff47c29e224 Mon Sep 17 00:00:00 2001 From: Wu Cheng-Han Date: Sat, 26 Nov 2016 22:55:31 +0800 Subject: Fix possible XSS in yaml-metadata and turn using ejs escape syntax than external lib [Security Issue] --- lib/response.js | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'lib') diff --git a/lib/response.js b/lib/response.js index 1a45d63a..b2d13988 100755 --- a/lib/response.js +++ b/lib/response.js @@ -186,7 +186,6 @@ function showPublishNote(req, res, next) { if (!meta) meta = {}; var createtime = note.createdAt; var updatetime = note.lastchangeAt; - var text = S(body).escapeHTML().s; var title = models.Note.decodeTitle(note.title); title = models.Note.generateWebTitle(meta.title || title); var origin = config.serverurl; @@ -197,7 +196,7 @@ function showPublishNote(req, res, next) { createtime: createtime, updatetime: updatetime, url: origin, - body: text, + body: body, useCDN: config.usecdn, owner: note.owner ? note.owner.id : null, ownerprofile: note.owner ? models.User.parseProfile(note.owner.profile) : null, @@ -258,7 +257,6 @@ function actionInfo(req, res, note) { if (!meta) meta = {}; var createtime = note.createdAt; var updatetime = note.lastchangeAt; - var text = S(body).escapeHTML().s; var title = models.Note.decodeTitle(note.title); var data = { title: meta.title || title, @@ -572,7 +570,6 @@ function showPublishSlide(req, res, next) { if (!meta) meta = {}; var createtime = note.createdAt; var updatetime = note.lastchangeAt; - var text = S(body).escapeHTML().s; var title = models.Note.decodeTitle(note.title); title = models.Note.generateWebTitle(meta.title || title); var origin = config.serverurl; @@ -583,7 +580,7 @@ function showPublishSlide(req, res, next) { createtime: createtime, updatetime: updatetime, url: origin, - body: text, + body: body, meta: JSON.stringify(obj.meta || {}), useCDN: config.usecdn, owner: note.owner ? note.owner.id : null, -- cgit v1.2.3