From 35b0d39a12aa35f27fba8c1f50b1886706e7efef Mon Sep 17 00:00:00 2001 From: Philip Molares Date: Thu, 14 Jan 2021 02:51:08 +0100 Subject: [PATCH 1/3] added sanitation to the slideMode in frontmatter This should prevent the issue mentioned in https://github.com/hackmdio/codimd/issues/1648 Specifically left out are - dependency (user can't really include anything anyway, because CSP forbids most domains) - autoSlideMethod (nothing our users should be able to change as they won't write JS to be affected by this) - keyboard (this let's users write arbitrary code and seems therefore to problematic) See: https://github.com/hakimel/reveal.js/blob/3.9.2/README.md#configuration Signed-off-by: Philip Molares --- public/js/slide.js | 51 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/public/js/slide.js b/public/js/slide.js index 3a47ac433..b0ef81abc 100644 --- a/public/js/slide.js +++ b/public/js/slide.js @@ -72,7 +72,56 @@ const defaultOptions = { // options from yaml meta const meta = JSON.parse($('#meta').text()) -var options = meta.slideOptions || {} +var options = { + autoPlayMedia: meta.slideOptions.autoPlayMedia, + autoSlide: meta.slideOptions.autoSlide, + autoSlideStoppable: meta.slideOptions.autoSlideStoppable, + backgroundTransition: meta.slideOptions.backgroundTransition, + center: meta.slideOptions.center, + controls: meta.slideOptions.controls, + controlsBackArrows: meta.slideOptions.controlsBackArrows, + controlsLayout: meta.slideOptions.controlsLayout, + controlsTutorial: meta.slideOptions.controlsTutorial, + defaultTiming: meta.slideOptions.defaultTiming, + display: meta.slideOptions.display, + embedded: meta.slideOptions.embedded, + fragmentInURL: meta.slideOptions.fragmentInURL, + fragments: meta.slideOptions.fragments, + hash: meta.slideOptions.hash, + height: meta.slideOptions.height, + help: meta.slideOptions.help, + hideAddressBar: meta.slideOptions.hideAddressBar, + hideCursorTime: meta.slideOptions.hideCursorTime, + hideInactiveCursor: meta.slideOptions.hideInactiveCursor, + history: meta.slideOptions.history, + keyboard: meta.slideOptions.keyboard, + loop: meta.slideOptions.loop, + margin: meta.slideOptions.margin, + maxScale: meta.slideOptions.maxScale, + minScale: meta.slideOptions.minScale, + minimumTimePerSlide: meta.slideOptions.minimumTimePerSlide, + mobileViewDistance: meta.slideOptions.mobileViewDistance, + mouseWheel: meta.slideOptions.mouseWheel, + navigationMode: meta.slideOptions.navigationMode, + overview: meta.slideOptions.overview, + parallaxBackgroundHorizontal: meta.slideOptions.parallaxBackgroundHorizontal, + parallaxBackgroundImage: meta.slideOptions.parallaxBackgroundImage, + parallaxBackgroundSize: meta.slideOptions.parallaxBackgroundSize, + parallaxBackgroundVertical: meta.slideOptions.parallaxBackgroundVertical, + preloadIframes: meta.slideOptions.preloadIframes, + previewLinks: meta.slideOptions.previewLinks, + progress: meta.slideOptions.progress, + rtl: meta.slideOptions.rtl, + showNotes: meta.slideOptions.showNotes, + shuffle: meta.slideOptions.shuffle, + slideNumber: meta.slideOptions.slideNumber, + totalTime: meta.slideOptions.totalTime, + touch: meta.slideOptions.touch, + transition: meta.slideOptions.transition, + transitionSpeed: meta.slideOptions.transitionSpeed, + viewDistance: meta.slideOptions.viewDistance, + width: meta.slideOptions.width +} || {} const view = $('.reveal') From 1546786c635f744b8306428bf02e2ec0285fcb51 Mon Sep 17 00:00:00 2001 From: Philip Molares Date: Thu, 14 Jan 2021 11:35:17 +0100 Subject: [PATCH 2/3] changed the SCRIPT_END_PLACEHOLDER regex to case insensitive this was suggested by @TobiasHoll in https://github.com/hackmdio/codimd/issues/1648 Signed-off-by: Philip Molares --- public/js/reveal-markdown.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/js/reveal-markdown.js b/public/js/reveal-markdown.js index ad5bfd048..c49bb9a24 100644 --- a/public/js/reveal-markdown.js +++ b/public/js/reveal-markdown.js @@ -103,7 +103,7 @@ import { md } from './extra' // prevent script end tags in the content from interfering // with parsing - content = content.replace(/<\/script>/g, SCRIPT_END_PLACEHOLDER) + content = content.replace(/<\/script>/gi, SCRIPT_END_PLACEHOLDER) return '' } From 8e611e42eef5dc0bbc9c7b8e4d679c22a204bc26 Mon Sep 17 00:00:00 2001 From: Philip Molares Date: Thu, 14 Jan 2021 16:42:53 +0100 Subject: [PATCH 3/3] added theme to the sanitization of slideOptions Signed-off-by: Philip Molares --- public/js/slide.js | 1 + 1 file changed, 1 insertion(+) diff --git a/public/js/slide.js b/public/js/slide.js index b0ef81abc..c78520210 100644 --- a/public/js/slide.js +++ b/public/js/slide.js @@ -115,6 +115,7 @@ var options = { showNotes: meta.slideOptions.showNotes, shuffle: meta.slideOptions.shuffle, slideNumber: meta.slideOptions.slideNumber, + theme: meta.slideOptions.theme, totalTime: meta.slideOptions.totalTime, touch: meta.slideOptions.touch, transition: meta.slideOptions.transition,