Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 23:40:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fix #573

Browse source
This commit is contained in:
Maxime Quandalle 2016-07-18 16:56:15 +02:00 committed by Maxime Quandalle
parent 3bc28b5e8a
commit 1f3015bd2c
No known key found for this signature in database
GPG key ID: 428641C03D29CA10
2 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
client/components/main/editor.js
View file

@ -44,6 +44,8 @@ Template.editor.onRendered(() => {
]); ]);
}); });
import sanitizeXss from 'xss';
// XXX I believe we should compute a HTML rendered field on the server that // XXX I believe we should compute a HTML rendered field on the server that
// would handle markdown, emoji and user mentions. We can simply have two // would handle markdown, emoji and user mentions. We can simply have two
// fields, one source, and one compiled version (in HTML) and send only the // fields, one source, and one compiled version (in HTML) and send only the
@ -86,7 +88,7 @@ Blaze.Template.registerHelper('mentions', new Template('mentions', function() {
content = content.replace(fullMention, Blaze.toHTML(link)); content = content.replace(fullMention, Blaze.toHTML(link));
} }
return HTML.Raw(content); return HTML.Raw(sanitizeXss(content));
})); }));
Template.viewer.events({ Template.viewer.events({

3
package.json
View file

@ -18,5 +18,8 @@
"homepage": "https://wekan.io", "homepage": "https://wekan.io",
"devDependencies": { "devDependencies": {
"eslint": "^2.0.0" "eslint": "^2.0.0"
},
"dependencies": {
"xss": "^0.2.13"
} }
} }