github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-02-10 15:50:59 +00:00
Code Issues Projects Releases Packages Wiki Activity

Don't store mermaid diagrams in innerHTML

Browse source 
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.

Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2020-12-26 14:40:00 +01:00
parent 89ecff4b1c
commit c32b1cf42b
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
public/js/extra.js
View file

@ -386,7 +386,7 @@ export function finishView (view) {
window.mermaid.mermaidAPI.parse($value.text())
$ele.addClass('mermaid')
$ele.html($value.text())
$ele.text($value.text())
window.mermaid.init(undefined, $ele)
} catch (err) {
var errormessage = err