status-im
/
codimd
mirror of https://github.com/status-im/codimd.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix: remove reveal options of dependencies which allow import user defined resources [Security Issue] 

Signed-off-by: Max Wu <jackymaxj@gmail.com>
This commit is contained in:
Max Wu 2021-01-21 13:23:47 +08:00
parent 9291a7670a
commit c47f0f0c71
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
public/js/slide.js
View File

@ -80,6 +80,8 @@ const defaultOptions = {
} }
var options = meta.slideOptions || {} var options = meta.slideOptions || {}
// delete dependencies to avoid import user defined external resources
delete options.dependencies
if (Object.hasOwnProperty.call(options, 'spotlight')) { if (Object.hasOwnProperty.call(options, 'spotlight')) {
defaultOptions.dependencies.push({ defaultOptions.dependencies.push({