From 79e6d3d7244aa4cf0a771f48ea46f43f764ce143 Mon Sep 17 00:00:00 2001
From: Max Wu <jackymaxj@gmail.com>
Date: Tue, 6 Aug 2019 21:43:12 +0800
Subject: [PATCH] fix(security): potential JSONP callback overwritten

Signed-off-by: Max Wu <jackymaxj@gmail.com>
---
 public/js/extra.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/public/js/extra.js b/public/js/extra.js
index 5e05fe13..60ef9d5a 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -1111,7 +1111,7 @@ const vimeoPlugin = new Plugin(
   /{%vimeo\s*([\d\D]*?)\s*%}/,
 
   (match, utils) => {
-    const videoid = match[1]
+    const videoid = match[1].split(/[?&=]+/)[0]
     if (!videoid) return
     const div = $('<div class="vimeo raw"></div>')
     div.attr('data-videoid', videoid)
@@ -1126,7 +1126,7 @@ const gistPlugin = new Plugin(
   /{%gist\s*([\d\D]*?)\s*%}/,
 
   (match, utils) => {
-    const gistid = match[1]
+    const gistid = match[1].split(/[?&=]+/)[0]
     const code = `<code data-gist-id="${gistid}"></code>`
     return code
   }
@@ -1144,7 +1144,7 @@ const slidesharePlugin = new Plugin(
   /{%slideshare\s*([\d\D]*?)\s*%}/,
 
   (match, utils) => {
-    const slideshareid = match[1]
+    const slideshareid = match[1].split(/[?&=]+/)[0]
     const div = $('<div class="slideshare raw"></div>')
     div.attr('data-slideshareid', slideshareid)
     return div[0].outerHTML