sa6anw/hedgedoc-hedgeagent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix slide might trigger script when processing markdown which cause XSS [Security Issue]

Browse Source
This commit is contained in:
Wu Cheng-Han
2016-11-26 22:46:08 +08:00
parent 9383df59c9
commit f86a9e0c4b
3 changed files with 12 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/response.js
View File

@@ -16,15 +16,6 @@ var config = require("./config.js");
var logger = require("./logger.js");
var models = require("./models");
//slides
var md = require('reveal.js/plugin/markdown/markdown');
//reveal.js
var slideOptions = {
separator: '^(\r\n?|\n)---(\r\n?|\n)$',
verticalSeparator: '^(\r\n?|\n)----(\r\n?|\n)$'
};
//public
var response = {
errorForbidden: function (res) {
@@ -584,7 +575,6 @@ function showPublishSlide(req, res, next) {
var text = S(body).escapeHTML().s;
var title = models.Note.decodeTitle(note.title);
title = models.Note.generateWebTitle(meta.title || title);
var slides = md.slidify(text, slideOptions);
var origin = config.serverurl;
var data = {
title: title,
@@ -593,7 +583,7 @@ function showPublishSlide(req, res, next) {
createtime: createtime,
updatetime: updatetime,
url: origin,
slides: slides,
body: text,
meta: JSON.stringify(obj.meta || {}),
useCDN: config.usecdn,
owner: note.owner ? note.owner.id : null,