diff --git a/views/about.html b/views/about.html
index d7773f3..cc9ea87 100644
--- a/views/about.html
+++ b/views/about.html
@@ -12,6 +12,19 @@
function escapeHtml(str) {
return str.replace(/&/g,'&').replace(//g,'>').replace(/"/g,'"').replace(/'/g,''');
}
+ function sanitizeHtml(html) {
+ var tmp = document.createElement('div');
+ tmp.innerHTML = html;
+ tmp.querySelectorAll('script,iframe,object,embed,form,input,button,select,meta,link,base,style').forEach(function(el) { el.remove(); });
+ tmp.querySelectorAll('*').forEach(function(node) {
+ Array.from(node.attributes).forEach(function(attr) {
+ if (/^on/i.test(attr.name) || (attr.name === 'href' && /^javascript:/i.test(attr.value.trim()))) {
+ node.removeAttribute(attr.name);
+ }
+ });
+ });
+ return tmp.innerHTML;
+ }
function render() {
if (raw && el && typeof marked !== 'undefined') {
var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); });
@@ -26,11 +39,7 @@
var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code);
return '' + escaped + '';
};
- renderer.html = function(html) {
- var content = typeof html === 'object' ? (html.text || '') : html;
- return escapeHtml(content);
- };
- el.innerHTML = marked.parse(text, { gfm: true, breaks: true, renderer: renderer });
+ el.innerHTML = sanitizeHtml(marked.parse(text, { gfm: true, breaks: true, renderer: renderer }));
}
}
if (typeof marked !== 'undefined') {
diff --git a/views/rules.html b/views/rules.html
index 44e01e8..1201a1d 100644
--- a/views/rules.html
+++ b/views/rules.html
@@ -12,6 +12,19 @@
function escapeHtml(str) {
return str.replace(/&/g,'&').replace(//g,'>').replace(/"/g,'"').replace(/'/g,''');
}
+ function sanitizeHtml(html) {
+ var tmp = document.createElement('div');
+ tmp.innerHTML = html;
+ tmp.querySelectorAll('script,iframe,object,embed,form,input,button,select,meta,link,base,style').forEach(function(el) { el.remove(); });
+ tmp.querySelectorAll('*').forEach(function(node) {
+ Array.from(node.attributes).forEach(function(attr) {
+ if (/^on/i.test(attr.name) || (attr.name === 'href' && /^javascript:/i.test(attr.value.trim()))) {
+ node.removeAttribute(attr.name);
+ }
+ });
+ });
+ return tmp.innerHTML;
+ }
function render() {
if (raw && el && typeof marked !== 'undefined') {
var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); });
@@ -26,11 +39,7 @@
var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code);
return '' + escaped + '';
};
- renderer.html = function(html) {
- var content = typeof html === 'object' ? (html.text || '') : html;
- return escapeHtml(content);
- };
- el.innerHTML = marked.parse(text, { gfm: true, breaks: true, renderer: renderer });
+ el.innerHTML = sanitizeHtml(marked.parse(text, { gfm: true, breaks: true, renderer: renderer }));
}
}
if (typeof marked !== 'undefined') {
diff --git a/views/terms.html b/views/terms.html
index 30f3df1..8bc6cad 100644
--- a/views/terms.html
+++ b/views/terms.html
@@ -12,6 +12,19 @@
function escapeHtml(str) {
return str.replace(/&/g,'&').replace(//g,'>').replace(/"/g,'"').replace(/'/g,''');
}
+ function sanitizeHtml(html) {
+ var tmp = document.createElement('div');
+ tmp.innerHTML = html;
+ tmp.querySelectorAll('script,iframe,object,embed,form,input,button,select,meta,link,base,style').forEach(function(el) { el.remove(); });
+ tmp.querySelectorAll('*').forEach(function(node) {
+ Array.from(node.attributes).forEach(function(attr) {
+ if (/^on/i.test(attr.name) || (attr.name === 'href' && /^javascript:/i.test(attr.value.trim()))) {
+ node.removeAttribute(attr.name);
+ }
+ });
+ });
+ return tmp.innerHTML;
+ }
function render() {
if (raw && el && typeof marked !== 'undefined') {
var bytes = Uint8Array.from(atob(raw.textContent.trim()), function(c) { return c.charCodeAt(0); });
@@ -26,11 +39,7 @@
var escaped = escapeHtml(typeof code === 'object' ? (code.text || '') : code);
return '' + escaped + '';
};
- renderer.html = function(html) {
- var content = typeof html === 'object' ? (html.text || '') : html;
- return escapeHtml(content);
- };
- el.innerHTML = marked.parse(text, { gfm: true, breaks: true, renderer: renderer });
+ el.innerHTML = sanitizeHtml(marked.parse(text, { gfm: true, breaks: true, renderer: renderer }));
}
}
if (typeof marked !== 'undefined') {