Skip to content

Commit

Permalink
fix: avoid eval string when putting back parsed string of mermaid
Browse files Browse the repository at this point in the history 
where has stored XSS issue
  • Loading branch information
@jackycute
jackycute committed Dec 21, 2020
1 parent 381b3ff commit 79dc6a9
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions public/js/extra.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -397,9 +397,10 @@ export function finishView (view) {
var $value = $(value)
const $ele = $(value).closest('pre')

window.mermaid.parse($value.text())
let text = $value.text()
window.mermaid.parse(text)
$ele.addClass('mermaid')
$ele.html($value.text())
$ele.text(text)
window.mermaid.init(undefined, $ele)
} catch (err) {
$value.unwrap()
Expand Down

0 comments on commit 79dc6a9

Please sign in to comment.