From 9b00afb863e475e9a72d06d61591535bd38d2d3e Mon Sep 17 00:00:00 2001 From: Wu Cheng-Han Date: Wed, 27 Sep 2017 18:20:04 +0800 Subject: [PATCH] Fix unclosed tags might cause XSS [Security Issue] --- public/js/render.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/js/render.js b/public/js/render.js index 88a05bded..e2574b5fd 100644 --- a/public/js/render.js +++ b/public/js/render.js @@ -27,7 +27,7 @@ var filterXSSOptions = { whiteList: whiteList, escapeHtml: function (html) { // allow html comment in multiple lines - return html.replace(/<(.*?)>/g, '<$1>') + return html.replace(/<(?!!--)/g, '<').replace(/-->/g, '__HTML_COMMENT_END__').replace(/>/g, '>').replace(/__HTML_COMMENT_END__/g, '-->') }, onIgnoreTag: function (tag, html, options) { // allow comment tag