diff options
author | Maxime Quandalle <maxime@quandalle.com> | 2016-07-18 16:56:15 +0200 |
---|---|---|
committer | Maxime Quandalle <mquandalle@wekan.io> | 2016-07-20 22:21:41 +0200 |
commit | 1f3015bd2c03b0735f30ad8a695293cf1788df45 (patch) | |
tree | 4b3907cd01009108848f42d01a0a450a9b86b83f /client/components | |
parent | 3bc28b5e8ac469c19ea429e29c6a6e5677bd454a (diff) | |
download | wekan-1f3015bd2c03b0735f30ad8a695293cf1788df45.tar.gz wekan-1f3015bd2c03b0735f30ad8a695293cf1788df45.tar.bz2 wekan-1f3015bd2c03b0735f30ad8a695293cf1788df45.zip |
Fix #573
Diffstat (limited to 'client/components')
-rwxr-xr-x | client/components/main/editor.js | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/client/components/main/editor.js b/client/components/main/editor.js index 17429067..95a96236 100755 --- a/client/components/main/editor.js +++ b/client/components/main/editor.js @@ -44,6 +44,8 @@ Template.editor.onRendered(() => { ]); }); +import sanitizeXss from 'xss'; + // XXX I believe we should compute a HTML rendered field on the server that // would handle markdown, emoji and user mentions. We can simply have two // fields, one source, and one compiled version (in HTML) and send only the @@ -86,7 +88,7 @@ Blaze.Template.registerHelper('mentions', new Template('mentions', function() { content = content.replace(fullMention, Blaze.toHTML(link)); } - return HTML.Raw(content); + return HTML.Raw(sanitizeXss(content)); })); Template.viewer.events({ |