fix: remove reveal options of dependencies which allow import user defined resources [Security Issue]

jackycute · jackycute · commit c47f0f0c7111 · 2021-01-21T13:24:48.000+08:00
Signed-off-by: Max Wu &lt;jackymaxj@gmail.com&gt;
diff --git a/public/js/slide.js b/public/js/slide.js
@@ -80,6 +80,8 @@ const defaultOptions = {
 }
 
 var options = meta.slideOptions || {}
+// delete dependencies to avoid import user defined external resources
+delete options.dependencies
 
 if (Object.hasOwnProperty.call(options, 'spotlight')) {
   defaultOptions.dependencies.push({

Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,8 @@ const defaultOptions = {`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`var options = meta.slideOptions \|\| {}`
	`83`	`+// delete dependencies to avoid import user defined external resources`
	`84`	`+delete options.dependencies`
`83`	`85`
`84`	`86`	`if (Object.hasOwnProperty.call(options, 'spotlight')) {`
`85`	`87`	`defaultOptions.dependencies.push({`