Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: avoid eval string when putting back parsed string of mermaid #1633

Merged
merged 3 commits into from
Dec 25, 2020

Conversation

jackycute
Copy link
Member

Fix #1630

Avoid using element.html for putting back parsed string of mermaid where can trigger stored XSS attacks.

@Yukaii Yukaii temporarily deployed to codimd-bugfix-fix-merma-omdm8o December 21, 2020 06:22 Inactive
@Yukaii Yukaii temporarily deployed to codimd-bugfix-fix-merma-omdm8o December 21, 2020 06:25 Inactive
@Yukaii Yukaii temporarily deployed to codimd-bugfix-fix-merma-omdm8o December 21, 2020 06:47 Inactive
@Yukaii Yukaii temporarily deployed to codimd-bugfix-fix-merma-omdm8o December 21, 2020 06:50 Inactive
@Yukaii Yukaii temporarily deployed to codimd-bugfix-fix-merma-omdm8o December 21, 2020 06:57 Inactive
@Yukaii Yukaii temporarily deployed to codimd-bugfix-fix-merma-omdm8o December 21, 2020 07:10 Inactive
@Yukaii Yukaii added this to the Next milestone Dec 21, 2020
@Yukaii Yukaii merged commit 25119ad into develop Dec 25, 2020
@Yukaii Yukaii deleted the bugfix/fix-mermaid-render-xss branch December 25, 2020 08:21
@Yukaii Yukaii modified the milestones: Next, 2.3.0 Dec 25, 2020
edgarogh pushed a commit to WartaPoirier-corp/codimd that referenced this pull request Jun 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Stored XSS in mermaid
2 participants