Prevent XSS in markdown rendering

2016-02-11 02:36:52 -06:00
parent fdb9c47354
commit 6700f033ab
5 changed files with 11 additions and 4 deletions
--- a/public/js/index.js
+++ b/public/js/index.js
@@ -2131,6 +2131,7 @@ var lastResult = null;
 function updateViewInner() {
    if (currentMode == modeType.edit || !isDirty) return;
    var value = editor.getValue();
+    value = filterXSS(value); // prevent xss
    md.meta = {};
    md.render(value); //only for get meta
    parseMeta(md, ui.area.markdown, $('#toc'), $('#toc-affix'));
--- a/public/views/foot.ejs
+++ b/public/views/foot.ejs
@@ -29,6 +29,7 @@
 <script src="/vendor/remarkable-regex.js" defer></script>
 <script src="/vendor/gist-embed.js" defer></script>
 <script src="/vendor/lz-string/libs/lz-string.min.js" defer></script>
+<script src="/vendor/xss/dist/xss.min.js" defer></script>
 <script src="/vendor/string.min.js" defer></script>
 <script src="/vendor/highlight-js/highlight.min.js" defer></script>
 <script src="/vendor/js.cookie.js" defer></script>