hackmdio · SISheogorath · Nov 11, 2018 · Nov 10, 2018
diff --git a/public/js/render.js b/public/js/render.js
@@ -1,6 +1,8 @@
 /* eslint-env browser, jquery */
-/* global filterXSS */
 // allow some attributes
+
+var filterXSS = require('xss')
+
 var whiteListAttr = ['id', 'class', 'style']
 window.whiteListAttr = whiteListAttr
 // allow link starts with '.', '/' and custom protocol with '://', exclude link starts with javascript://
@@ -71,5 +73,6 @@ function preventXSS (html) {
 window.preventXSS = preventXSS
 
 module.exports = {
-  preventXSS: preventXSS
+  preventXSS: preventXSS,
+  escapeAttrValue: filterXSS.escapeAttrValue
 }
diff --git a/public/js/reveal-markdown.js b/public/js/reveal-markdown.js
@@ -1,6 +1,6 @@
 /* eslint-env browser, jquery */
 
-import { preventXSS } from './render'
+import { preventXSS, escapeAttrValue } from './render'
 import { md } from './extra'
 
 /**
@@ -259,7 +259,7 @@ import { md } from './extra'
       while ((matchesClass = mardownClassRegex.exec(classes))) {
         var name = matchesClass[1]
         var value = matchesClass[2]
-        if (name.substr(0, 5) === 'data-' || window.whiteListAttr.indexOf(name) !== -1) { elementTarget.setAttribute(name, window.filterXSS.escapeAttrValue(value)) }
+        if (name.substr(0, 5) === 'data-' || window.whiteListAttr.indexOf(name) !== -1) { elementTarget.setAttribute(name, escapeAttrValue(value)) }
       }
       return true
     }

diff --git a/webpack.common.js b/webpack.common.js
@@ -202,7 +202,6 @@ module.exports = {
       'babel-polyfill',
       'script-loader!jquery-ui-resizable',
       'script-loader!js-url',
-      'expose-loader?filterXSS!xss',
       'script-loader!Idle.Js',
       'expose-loader?LZString!lz-string',
       'script-loader!codemirror',
@@ -253,7 +252,6 @@ module.exports = {
       'script-loader!handlebars',
       'expose-loader?hljs!highlight.js',
       'expose-loader?emojify!emojify.js',
-      'expose-loader?filterXSS!xss',
       'script-loader!Idle.Js',
       'script-loader!gist-embed',
       'expose-loader?LZString!lz-string',
@@ -273,7 +271,6 @@ module.exports = {
     ],
     pretty: [
       'babel-polyfill',
-      'expose-loader?filterXSS!xss',
       'flowchart.js',
       'js-sequence-diagrams',
       'expose-loader?RevealMarkdown!reveal-markdown',
@@ -298,7 +295,6 @@ module.exports = {
       'script-loader!handlebars',
       'expose-loader?hljs!highlight.js',
       'expose-loader?emojify!emojify.js',
-      'expose-loader?filterXSS!xss',
       'script-loader!gist-embed',
       'flowchart.js',
       'js-sequence-diagrams',
@@ -310,7 +306,6 @@ module.exports = {
     slide: [
       'babel-polyfill',
       'bootstrap-tooltip',
-      'expose-loader?filterXSS!xss',
       'flowchart.js',
       'js-sequence-diagrams',
       'expose-loader?RevealMarkdown!reveal-markdown',
@@ -338,7 +333,6 @@ module.exports = {
       'script-loader!handlebars',
       'expose-loader?hljs!highlight.js',
       'expose-loader?emojify!emojify.js',
-      'expose-loader?filterXSS!xss',
       'script-loader!gist-embed',
       'flowchart.js',
       'js-sequence-diagrams',