From 9d4ede4cffae47b9fd81ffbd0f2edff47c29e224 Mon Sep 17 00:00:00 2001
From: Wu Cheng-Han
Date: Sat, 26 Nov 2016 22:55:31 +0800
Subject: Fix possible XSS in yaml-metadata and turn using ejs escape syntax
than external lib [Security Issue]
---
public/views/disqus.ejs | 2 +-
public/views/ga.ejs | 2 +-
public/views/head.ejs | 2 +-
public/views/pretty.ejs | 8 ++++----
public/views/slide.ejs | 10 +++++-----
5 files changed, 12 insertions(+), 12 deletions(-)
(limited to 'public/views')
diff --git a/public/views/disqus.ejs b/public/views/disqus.ejs
index ed991a41..cceaa85c 100644
--- a/public/views/disqus.ejs
+++ b/public/views/disqus.ejs
@@ -5,7 +5,7 @@ var disqus_config = function () {
};
(function() {
var d = document, s = d.createElement('script');
- s.src = '//<%- disqus %>.disqus.com/embed.js';
+ s.src = '//<%= disqus %>.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
diff --git a/public/views/ga.ejs b/public/views/ga.ejs
index 180832d1..66d4acd9 100644
--- a/public/views/ga.ejs
+++ b/public/views/ga.ejs
@@ -12,7 +12,7 @@
m.parentNode.insertBefore(a, m)
})(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga');
-ga('create', '<%- GA %>', 'auto');
+ga('create', '<%= GA %>', 'auto');
ga('send', 'pageview');
<% } %>
\ No newline at end of file
diff --git a/public/views/head.ejs b/public/views/head.ejs
index f1cdff15..fb51b14f 100644
--- a/public/views/head.ejs
+++ b/public/views/head.ejs
@@ -4,7 +4,7 @@
-<%- title %>
+<%= title %>
<% if(useCDN) { %>
diff --git a/public/views/pretty.ejs b/public/views/pretty.ejs
index 502aae40..f810a5a9 100644
--- a/public/views/pretty.ejs
+++ b/public/views/pretty.ejs
@@ -9,12 +9,12 @@
<% if(typeof robots !== 'undefined' && robots) { %>
-
+
<% } %>
<% if(typeof description !== 'undefined' && description) { %>
-
+
<% } %>
- <%- title %>
+ <%= title %>
<% if(useCDN) { %>
@@ -59,7 +59,7 @@
<% } %>
- <%- body %>
+ <%= body %>