Skip to content

Commit

Permalink
Fix wekan#573
Browse files Browse the repository at this point in the history
  • Loading branch information
@mquandalle
mquandalle authored and Maxime Quandalle committed Jul 20, 2016
1 parent 3bc28b5 commit 1f3015b
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
4 changes: 3 additions & 1 deletion client/components/main/editor.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ Template.editor.onRendered(() => {
]);
});

import sanitizeXss from 'xss';

// XXX I believe we should compute a HTML rendered field on the server that
// would handle markdown, emoji and user mentions. We can simply have two
// fields, one source, and one compiled version (in HTML) and send only the
Expand Down Expand Up @@ -86,7 +88,7 @@ Blaze.Template.registerHelper('mentions', new Template('mentions', function() {
content = content.replace(fullMention, Blaze.toHTML(link));
}

return HTML.Raw(content);
return HTML.Raw(sanitizeXss(content));
}));

Template.viewer.events({
Expand Down
3 changes: 3 additions & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,8 @@
"homepage": "https://wekan.io",
"devDependencies": {
"eslint": "^2.0.0"
},
"dependencies": {
"xss": "^0.2.13"
}
}

0 comments on commit 1f3015b

Please sign in to comment.