mirror of https://github.com/status-im/codimd.git
Prevent XSS in markdown rendering
This commit is contained in:
parent
fdb9c47354
commit
6700f033ab
|
@ -33,6 +33,7 @@
|
||||||
"js-yaml": "~3.5.2",
|
"js-yaml": "~3.5.2",
|
||||||
"to-markdown": "~1.3.0",
|
"to-markdown": "~1.3.0",
|
||||||
"lz-string": "~1.4.4",
|
"lz-string": "~1.4.4",
|
||||||
"flowchart": "~1.6.1"
|
"flowchart": "~1.6.1",
|
||||||
|
"xss": "~0.2.10"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,6 +11,7 @@ var shortId = require('shortid');
|
||||||
var metaMarked = require('meta-marked');
|
var metaMarked = require('meta-marked');
|
||||||
var querystring = require('querystring');
|
var querystring = require('querystring');
|
||||||
var request = require('request');
|
var request = require('request');
|
||||||
|
var xss = require('xss');
|
||||||
|
|
||||||
//core
|
//core
|
||||||
var config = require("../config.js");
|
var config = require("../config.js");
|
||||||
|
@ -227,6 +228,7 @@ function showPublishNote(req, res, next) {
|
||||||
//na
|
//na
|
||||||
}
|
}
|
||||||
var updatetime = notedata.update_time;
|
var updatetime = notedata.update_time;
|
||||||
|
body = xss(body); // prevent xss
|
||||||
var text = S(body).escapeHTML().s;
|
var text = S(body).escapeHTML().s;
|
||||||
var title = notedata.title;
|
var title = notedata.title;
|
||||||
var decodedTitle = LZString.decompressFromBase64(title);
|
var decodedTitle = LZString.decompressFromBase64(title);
|
||||||
|
@ -610,6 +612,7 @@ function showPublishSlide(req, res, next) {
|
||||||
var decodedTitle = LZString.decompressFromBase64(title);
|
var decodedTitle = LZString.decompressFromBase64(title);
|
||||||
if (decodedTitle) title = decodedTitle;
|
if (decodedTitle) title = decodedTitle;
|
||||||
title = Note.generateWebTitle(title);
|
title = Note.generateWebTitle(title);
|
||||||
|
body = xss(body); // prevent xss
|
||||||
var text = S(body).escapeHTML().s;
|
var text = S(body).escapeHTML().s;
|
||||||
render(res, title, text);
|
render(res, title, text);
|
||||||
});
|
});
|
||||||
|
|
|
@ -14,7 +14,6 @@
|
||||||
"cheerio": "^0.19.0",
|
"cheerio": "^0.19.0",
|
||||||
"compression": "^1.6.0",
|
"compression": "^1.6.0",
|
||||||
"connect-mongo": "^1.1.0",
|
"connect-mongo": "^1.1.0",
|
||||||
"kerberos": "0.0.17",
|
|
||||||
"cookie": "0.2.3",
|
"cookie": "0.2.3",
|
||||||
"cookie-parser": "1.4.1",
|
"cookie-parser": "1.4.1",
|
||||||
"ejs": "^2.3.4",
|
"ejs": "^2.3.4",
|
||||||
|
@ -25,6 +24,7 @@
|
||||||
"highlight.js": "^9.1.0",
|
"highlight.js": "^9.1.0",
|
||||||
"imgur": "^0.1.7",
|
"imgur": "^0.1.7",
|
||||||
"jsdom-nogyp": "^0.8.3",
|
"jsdom-nogyp": "^0.8.3",
|
||||||
|
"kerberos": "0.0.17",
|
||||||
"lz-string": "1.4.4",
|
"lz-string": "1.4.4",
|
||||||
"markdown-pdf": "^6.0.0",
|
"markdown-pdf": "^6.0.0",
|
||||||
"marked": "^0.3.5",
|
"marked": "^0.3.5",
|
||||||
|
@ -33,6 +33,7 @@
|
||||||
"moment": "^2.11.1",
|
"moment": "^2.11.1",
|
||||||
"mongoose": "^4.3.6",
|
"mongoose": "^4.3.6",
|
||||||
"morgan": "^1.6.1",
|
"morgan": "^1.6.1",
|
||||||
|
"mustache": "2.2.1",
|
||||||
"node-uuid": "^1.4.7",
|
"node-uuid": "^1.4.7",
|
||||||
"passport": "^0.3.2",
|
"passport": "^0.3.2",
|
||||||
"passport-dropbox-oauth2": "^1.0.0",
|
"passport-dropbox-oauth2": "^1.0.0",
|
||||||
|
@ -43,13 +44,13 @@
|
||||||
"pg": "4.x",
|
"pg": "4.x",
|
||||||
"randomcolor": "^0.4.3",
|
"randomcolor": "^0.4.3",
|
||||||
"request": "^2.69.0",
|
"request": "^2.69.0",
|
||||||
|
"reveal.js": "3.2.0",
|
||||||
"shortid": "2.2.4",
|
"shortid": "2.2.4",
|
||||||
"socket.io": "1.4.4",
|
"socket.io": "1.4.4",
|
||||||
"string": "^3.3.1",
|
"string": "^3.3.1",
|
||||||
"toobusy-js": "^0.4.2",
|
"toobusy-js": "^0.4.2",
|
||||||
"winston": "^2.1.1",
|
"winston": "^2.1.1",
|
||||||
"mustache": "2.2.1",
|
"xss": "^0.2.10"
|
||||||
"reveal.js": "3.2.0"
|
|
||||||
},
|
},
|
||||||
"engines": {
|
"engines": {
|
||||||
"node": ">=4.x"
|
"node": ">=4.x"
|
||||||
|
|
|
@ -2131,6 +2131,7 @@ var lastResult = null;
|
||||||
function updateViewInner() {
|
function updateViewInner() {
|
||||||
if (currentMode == modeType.edit || !isDirty) return;
|
if (currentMode == modeType.edit || !isDirty) return;
|
||||||
var value = editor.getValue();
|
var value = editor.getValue();
|
||||||
|
value = filterXSS(value); // prevent xss
|
||||||
md.meta = {};
|
md.meta = {};
|
||||||
md.render(value); //only for get meta
|
md.render(value); //only for get meta
|
||||||
parseMeta(md, ui.area.markdown, $('#toc'), $('#toc-affix'));
|
parseMeta(md, ui.area.markdown, $('#toc'), $('#toc-affix'));
|
||||||
|
|
|
@ -29,6 +29,7 @@
|
||||||
<script src="/vendor/remarkable-regex.js" defer></script>
|
<script src="/vendor/remarkable-regex.js" defer></script>
|
||||||
<script src="/vendor/gist-embed.js" defer></script>
|
<script src="/vendor/gist-embed.js" defer></script>
|
||||||
<script src="/vendor/lz-string/libs/lz-string.min.js" defer></script>
|
<script src="/vendor/lz-string/libs/lz-string.min.js" defer></script>
|
||||||
|
<script src="/vendor/xss/dist/xss.min.js" defer></script>
|
||||||
<script src="/vendor/string.min.js" defer></script>
|
<script src="/vendor/string.min.js" defer></script>
|
||||||
<script src="/vendor/highlight-js/highlight.min.js" defer></script>
|
<script src="/vendor/highlight-js/highlight.min.js" defer></script>
|
||||||
<script src="/vendor/js.cookie.js" defer></script>
|
<script src="/vendor/js.cookie.js" defer></script>
|
||||||
|
|
Loading…
Reference in New Issue