fix: strip html tags for gist id to avoid stored XSS on showing error [Security Issue]

jackycute · jackycute · commit 85c76f50a11e · 2021-06-01T18:11:56.000+08:00
Signed-off-by: Max Wu &lt;jackymaxj@gmail.com&gt;
diff --git a/public/js/extra.js b/public/js/extra.js
@@ -1341,7 +1341,7 @@ const gistPlugin = new Plugin(
 
   (match, utils) => {
     const gistid = match[1].split(/[?&=]+/)[0]
-    const code = `<code data-gist-id="${gistid}"></code>`
+    const code = `<code data-gist-id="${stripTags(gistid)}"></code>`
     return code
   }
 )

Original file line number	Diff line number	Diff line change
`@@ -1341,7 +1341,7 @@ const gistPlugin = new Plugin(`
`1341`	`1341`
`1342`	`1342`	`(match, utils) => {`
`1343`	`1343`	`const gistid = match[1].split(/[?&=]+/)[0]`
`1344`		- const code = `<code data-gist-id="${gistid}"></code>`
	`1344`	+ const code = `<code data-gist-id="${stripTags(gistid)}"></code>`
`1345`	`1345`	`return code`
`1346`	`1346`	`}`
`1347`	`1347`	`)`