Merge pull request #1650 from hackmdio/bugfix/fix-reveal-markdown-stored-xss

Yukaii · web-flow · commit 452f9ac12436 · 2021-01-25T16:50:23.000+08:00
Fix slide mode stored XSS
diff --git a/public/js/reveal-markdown.js b/public/js/reveal-markdown.js
@@ -103,7 +103,7 @@ import { md } from './extra'
 
     // prevent script end tags in the content from interfering
     // with parsing
-    content = content.replace(/<\/script>/g, SCRIPT_END_PLACEHOLDER)
+    content = content.replace(/<\/script>/gi, SCRIPT_END_PLACEHOLDER)
 
     return '<script type="text/template">' + content + '</script>'
   }
diff --git a/public/js/slide.js b/public/js/slide.js
@@ -80,6 +80,8 @@ const defaultOptions = {
 }
 
 var options = meta.slideOptions || {}
+// delete dependencies to avoid import user defined external resources
+delete options.dependencies
 
 if (Object.hasOwnProperty.call(options, 'spotlight')) {
   defaultOptions.dependencies.push({

Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ import { md } from './extra'`
`103`	`103`
`104`	`104`	`// prevent script end tags in the content from interfering`
`105`	`105`	`// with parsing`
`106`		`- content = content.replace(/<\/script>/g, SCRIPT_END_PLACEHOLDER)`
	`106`	`+ content = content.replace(/<\/script>/gi, SCRIPT_END_PLACEHOLDER)`
`107`	`107`
`108`	`108`	`return '<script type="text/template">' + content + '</script>'`
`109`	`109`	`}`
Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,8 @@ const defaultOptions = {`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`var options = meta.slideOptions \|\| {}`
	`83`	`+// delete dependencies to avoid import user defined external resources`
	`84`	`+delete options.dependencies`
`83`	`85`
`84`	`86`	`if (Object.hasOwnProperty.call(options, 'spotlight')) {`
`85`	`87`	`defaultOptions.dependencies.push({`