From 79d5b2c37f99bcfc8e86e8045557f0a0557f93c4 Mon Sep 17 00:00:00 2001 From: Wu Cheng-Han Date: Sat, 26 Nov 2016 22:46:58 +0800 Subject: [PATCH] Fix slide might able to add unsafe attribute on section tag which cause XSS [Security Issue] --- public/js/render.js | 1 + public/js/reveal-markdown.js | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) mode change 100644 => 100755 public/js/reveal-markdown.js diff --git a/public/js/render.js b/public/js/render.js index 559530b0..a61fc8fb 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -1,5 +1,6 @@ // allow some attributes var whiteListAttr = ['id', 'class', 'style']; +window.whiteListAttr = whiteListAttr; // allow link starts with '.', '/' and custom protocol with '://' var linkRegex = /^([\w|-]+:\/\/)|^([\.|\/])+/; // allow data uri, from https://gist.github.com/bgrins/6194623 diff --git a/public/js/reveal-markdown.js b/public/js/reveal-markdown.js old mode 100644 new mode 100755 index ca22e09c..3c3e1f5b --- a/public/js/reveal-markdown.js +++ b/public/js/reveal-markdown.js @@ -286,7 +286,10 @@ nodeValue = nodeValue.substring( 0, matches.index ) + nodeValue.substring( mardownClassesInElementsRegex.lastIndex ); node.nodeValue = nodeValue; while( matchesClass = mardownClassRegex.exec( classes ) ) { - elementTarget.setAttribute( matchesClass[1], matchesClass[2] ); + var name = matchesClass[1]; + var value = matchesClass[2]; + if (name.substr(0, 5) === 'data-' || whiteListAttr.indexOf(name) !== -1) + elementTarget.setAttribute( name, filterXSS.escapeAttrValue(value) ); } return true; }