fix: strip html tags for gist file, gist line, gist highlight line, gist show loading attrtributes

Signed-off-by: Max Wu <jackymaxj@gmail.com>
2021-06-09 15:05:04 +08:00 · 2021-06-09 15:05:04 +08:00 · 2eefe7706f
parent 6966881152
commit 2eefe7706f
1 changed files with 8 additions and 0 deletions
--- a/public/js/extra.js
+++ b/public/js/extra.js
@ -334,6 +334,14 @@ export function finishView (view) {
      // strip HTML tags to avoid stored XSS
      const gistid = value.getAttribute('data-gist-id')
      value.setAttribute('data-gist-id', stripTags(gistid))
+      const gistfile = value.getAttribute('data-gist-file')
+      if (gistfile) value.setAttribute('data-gist-file', stripTags(gistfile))
+      const gistline = value.getAttribute('data-gist-line')
+      if (gistline) value.setAttribute('data-gist-line', stripTags(gistline))
+      const gisthighlightline = value.getAttribute('data-gist-highlight-line')
+      if (gisthighlightline) value.setAttribute('data-gist-highlight-line', stripTags(gisthighlightline))
+      const gistshowloading = value.getAttribute('data-gist-show-loading')
+      if (gistshowloading) value.setAttribute('data-gist-show-loading', stripTags(gistshowloading))
      $(value).gist(window.viewAjaxCallback)
    }
  })