Merge pull request #1650 from hackmdio/bugfix/fix-reveal-markdown-sto…

…red-xss Fix slide mode stored XSS
hackmdio · Jan 25, 2021 · 452f9ac · 452f9ac
2 parents 5b4c7ef + c47f0f0
commit 452f9ac
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/public/js/reveal-markdown.js b/public/js/reveal-markdown.js
@@ -103,7 +103,7 @@ import { md } from './extra'
 
     // prevent script end tags in the content from interfering
     // with parsing
-    content = content.replace(/<\/script>/g, SCRIPT_END_PLACEHOLDER)
+    content = content.replace(/<\/script>/gi, SCRIPT_END_PLACEHOLDER)
 
     return '<script type="text/template">' + content + '</script>'
   }

diff --git a/public/js/slide.js b/public/js/slide.js
@@ -80,6 +80,8 @@ const defaultOptions = {
 }
 
 var options = meta.slideOptions || {}
+// delete dependencies to avoid import user defined external resources
+delete options.dependencies
 
 if (Object.hasOwnProperty.call(options, 'spotlight')) {
   defaultOptions.dependencies.push({