fix: avoid eval string when putting back parsed string of mermaid

where has stored XSS issue Signed-off-by: Max Wu <jackymaxj@gmail.com>
2020-12-21 14:19:47 +08:00 · 2020-12-21 14:19:47 +08:00 · 8d9a9ab0b2
parent 381b3ff78e
commit 8d9a9ab0b2
1 changed files with 3 additions and 2 deletions
--- a/public/js/extra.js
+++ b/public/js/extra.js
@ -397,9 +397,10 @@ export function finishView (view) {
      var $value = $(value)
      const $ele = $(value).closest('pre')

-      window.mermaid.parse($value.text())
+      let text = $value.text()
+      window.mermaid.parse(text)
      $ele.addClass('mermaid')
-      $ele.html($value.text())
+      $ele.text(text)
      window.mermaid.init(undefined, $ele)
    } catch (err) {
      $value.unwrap()