Merge pull request #1112 from hackmdio/fix-XSS-issues

SISheogorath · web-flow · commit dba9575c9474 · 2018-12-29T21:52:03.000+01:00
Fix some XSS issues
diff --git a/public/js/render.js b/public/js/render.js
@@ -45,7 +45,7 @@ var filterXSSOptions = {
     // allow comment tag
     if (tag === '!--') {
             // do not filter its attributes
-      return html
+      return html.replace(/<(?!!--)/g, '&lt;').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '&gt;').replace(/__HTML_COMMENT_END__/g, '-->')
     }
   },
   onTagAttr: function (tag, name, value, isWhiteAttr) {
diff --git a/public/views/shared/disqus.ejs b/public/views/shared/disqus.ejs
@@ -5,7 +5,7 @@ var disqus_config = function () {
 };
 (function() {
     var d = document, s = d.createElement('script');
-    s.src = 'https://<%= disqus %>.disqus.com/embed.js';
+    s.src = 'https://<%= disqus.replace(/[^A-Za-z0-9]+/g, '') %>.disqus.com/embed.js';
     s.setAttribute('data-timestamp', +new Date());
     (d.head || d.body).appendChild(s);
 })();

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ var filterXSSOptions = {`
`45`	`45`	`// allow comment tag`
`46`	`46`	`if (tag === '!--') {`
`47`	`47`	`// do not filter its attributes`
`48`		`- return html`
	`48`	`+ return html.replace(/<(?!!--)/g, '<').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '>').replace(/__HTML_COMMENT_END__/g, '-->')`
`49`	`49`	`}`
`50`	`50`	`},`
`51`	`51`	`onTagAttr: function (tag, name, value, isWhiteAttr) {`