From f86a9e0c4bbf852d2648430d5f7f3d837c40bd47 Mon Sep 17 00:00:00 2001
From: Wu Cheng-Han
Date: Sat, 26 Nov 2016 22:46:08 +0800
Subject: Fix slide might trigger script when processing markdown which cause
 XSS [Security Issue]

---
 public/js/slide.js | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'public/js')

diff --git a/public/js/slide.js b/public/js/slide.js
index b9521e64..a8411570 100644
--- a/public/js/slide.js
+++ b/public/js/slide.js
@@ -12,8 +12,7 @@ var finishView = extraModule.finishView;
 
 var preventXSS = require('./render').preventXSS;
 
-var body = $(".slides").html();
-$(".slides").html(S(body).unescapeHTML().s);
+var body = $(".slides").text();
 
 createtime = lastchangeui.time.attr('data-createtime');
 lastchangetime = lastchangeui.time.attr('data-updatetime');
@@ -47,8 +46,15 @@ var deps = [{
     }
 }, {
     src: serverurl + '/js/reveal-markdown.js',
-    condition: function() {
-        return !!document.querySelector('[data-markdown]');
+    callback: function () {
+        var slideOptions = {
+            separator: '^(\r\n?|\n)---(\r\n?|\n)$',
+            verticalSeparator: '^(\r\n?|\n)----(\r\n?|\n)$'
+        };
+        var slides = RevealMarkdown.slidify(body, slideOptions);
+        $(".slides").html(slides);
+        RevealMarkdown.initialize();
+        $(".slides").show();
     }
 }, {
     src: serverurl + '/vendor/reveal.js/plugin/notes/notes.js',
-- 
cgit v1.2.3