Fixes #60 xss

volca · Mar 7, 2017 · 1181f04 · 1181f04
1 parent 69b877d
commit 1181f04
Show file tree

Hide file tree

Showing 6 changed files with 1,286 additions and 2 deletions.
diff --git a/js/config.js b/js/config.js
@@ -10,6 +10,7 @@ window.config = (function(hljs) {
         gfm: true,
         tables: true,
         breaks: false,
+        sanitize: true,
         highlight: function(code) {
             return hljs.highlightAuto(code).value;
         }

diff --git a/js/markdownify.js b/js/markdownify.js
@@ -27,6 +27,7 @@
             // Convert MarkDown to HTML without MathJax typesetting.
             // This is done to make page responsiveness.  The HTML body
             // is replaced after MathJax typesetting.
+            config.markedOptions.sanitize = items.mathjax ? false : true;
             marked.setOptions(config.markedOptions);
             var html = marked(data);
             $(document.body).html(html);