Merge pull request #1691 from hackmdio/bugfix/fix-gist-id-stored-XSS

a60814billy · web-flow · commit 82b78007dd20 · 2021-06-16T19:11:34.000+08:00
Strip HTML tags for gist id to avoid stored XSS on showing error [Security Issue]
diff --git a/public/js/extra.js b/public/js/extra.js
@@ -330,7 +330,20 @@ export function finishView (view) {
     })
     // gist
   view.find('code[data-gist-id]').each((key, value) => {
-    if ($(value).children().length === 0) { $(value).gist(window.viewAjaxCallback) }
+    if ($(value).children().length === 0) {
+      // strip HTML tags to avoid stored XSS
+      const gistid = value.getAttribute('data-gist-id')
+      value.setAttribute('data-gist-id', stripTags(gistid))
+      const gistfile = value.getAttribute('data-gist-file')
+      if (gistfile) value.setAttribute('data-gist-file', stripTags(gistfile))
+      const gistline = value.getAttribute('data-gist-line')
+      if (gistline) value.setAttribute('data-gist-line', stripTags(gistline))
+      const gisthighlightline = value.getAttribute('data-gist-highlight-line')
+      if (gisthighlightline) value.setAttribute('data-gist-highlight-line', stripTags(gisthighlightline))
+      const gistshowloading = value.getAttribute('data-gist-show-loading')
+      if (gistshowloading) value.setAttribute('data-gist-show-loading', stripTags(gistshowloading))
+      $(value).gist(window.viewAjaxCallback)
+    }
   })
   // sequence diagram
   const sequences = view.find('div.sequence-diagram.raw').removeClass('raw')
