From 2eefe7706f020d605fb35c463af2ff73ac833899 Mon Sep 17 00:00:00 2001
From: Max Wu <jackymaxj@gmail.com>
Date: Wed, 9 Jun 2021 15:05:04 +0800
Subject: [PATCH] fix: strip html tags for gist file, gist line, gist highlight
 line, gist show loading attrtributes

Signed-off-by: Max Wu <jackymaxj@gmail.com>
---
 public/js/extra.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/public/js/extra.js b/public/js/extra.js
index e09d3023..2fcb1b6a 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -334,6 +334,14 @@ export function finishView (view) {
       // strip HTML tags to avoid stored XSS
       const gistid = value.getAttribute('data-gist-id')
       value.setAttribute('data-gist-id', stripTags(gistid))
+      const gistfile = value.getAttribute('data-gist-file')
+      if (gistfile) value.setAttribute('data-gist-file', stripTags(gistfile))
+      const gistline = value.getAttribute('data-gist-line')
+      if (gistline) value.setAttribute('data-gist-line', stripTags(gistline))
+      const gisthighlightline = value.getAttribute('data-gist-highlight-line')
+      if (gisthighlightline) value.setAttribute('data-gist-highlight-line', stripTags(gisthighlightline))
+      const gistshowloading = value.getAttribute('data-gist-show-loading')
+      if (gistshowloading) value.setAttribute('data-gist-show-loading', stripTags(gistshowloading))
       $(value).gist(window.viewAjaxCallback)
     }
   })