fix: strip html tags for gist file, gist line, gist highlight line, g…

…ist show loading attrtributes
hackmdio · Jun 9, 2021 · 94ba61b · 94ba61b
1 parent 9e65e7a
commit 94ba61b
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/public/js/extra.js b/public/js/extra.js
@@ -334,6 +334,14 @@ export function finishView (view) {
       // strip HTML tags to avoid stored XSS
       const gistid = value.getAttribute('data-gist-id')
       value.setAttribute('data-gist-id', stripTags(gistid))
+      const gistfile = value.getAttribute('data-gist-file')
+      if (gistfile) value.setAttribute('data-gist-file', stripTags(gistfile))
+      const gistline = value.getAttribute('data-gist-line')
+      if (gistline) value.setAttribute('data-gist-line', stripTags(gistline))
+      const gisthighlightline = value.getAttribute('data-gist-highlight-line')
+      if (gisthighlightline) value.setAttribute('data-gist-highlight-line', stripTags(gisthighlightline))
+      const gistshowloading = value.getAttribute('data-gist-show-loading')
+      if (gistshowloading) value.setAttribute('data-gist-show-loading', stripTags(gistshowloading))
       $(value).gist(window.viewAjaxCallback)
     }
   })