status-im/codimd
2
0
Fork 0
mirror of https://github.com/status-im/codimd.git synced 2025-03-01 06:20:42 +00:00
Code Issues Projects Releases Wiki Activity

fix: avoid eval string when putting back parsed string of mermaid

Browse Source 
where has stored XSS issue

Signed-off-by: Max Wu <jackymaxj@gmail.com>
This commit is contained in:
Max Wu 2020-12-21 14:19:47 +08:00
parent 381b3ff78e
commit 8d9a9ab0b2
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
public/js/extra.js
View File

@ -397,9 +397,10 @@ export function finishView (view) {
var $value = $(value) var $value = $(value)
const $ele = $(value).closest('pre') const $ele = $(value).closest('pre')
window.mermaid.parse($value.text()) let text = $value.text()
window.mermaid.parse(text)
$ele.addClass('mermaid') $ele.addClass('mermaid')
$ele.html($value.text()) $ele.text(text)
window.mermaid.init(undefined, $ele) window.mermaid.init(undefined, $ele)
} catch (err) { } catch (err) {
$value.unwrap() $value.unwrap()