|
c24831b5
|
2019-04-27T11:28:47
|
|
Command line: Fix for uncaught errors for empty 'commandLine' object. (#1862)
This fixes the issue that the Command line plugin throws an error when the 'commandLine' object is not defined/an empty object. This always happens when an element with no text is highlighted.
|
|
9f6e5026
|
2018-11-28T14:23:53
|
|
Fixed class regex for Command Line plugin (#1566)
Fixes #1564 where the plugin would wrongly detect `command-line-prompt`
causing the alignment issue.
|
|
094d5463
|
2018-03-26T02:14:54
|
|
Command Line: Allow specifying output prefix using data-filter-output attribute. (#856)
|
|
17e33bc0
|
2016-11-20T12:52:54
|
|
Reduce risk of XSS (#1051)
* Skip non-own properties of env.attributes
Use `Object.keys` instead of a for-in loop to find optional attributes.
The former only grabs keys that are own properties, the latter also
includes inherit properties from `Object.prototype`.
This reduces the risk of XSS if an attacker somehow manages to
manipulate the prototype chain of the Object prototype.
* Fix root cause of XSS in autolinker plugin #1054
* command-line plugin: Safely encode attributes
If an attacker has control over the values of the attributes
"data-prompt", "data-user", or "data-host", then XSS was possible.
This fixes the issue, by encoding quotes as the `"` entity.
* show-language plugin: innerHTML -> textContent
There is no need for `innerHTML` here. At best nothing happens,
at worst XSS is possible (though the odds are negligible since
the attacker would have to control the detected language).
* toolbar plugin: innerHTML -> textContent
|
|
298dca59
|
2015-12-29T19:36:08
|
|
Remove the need for an "output" class.
|
|
83789062
|
2015-11-29T20:27:14
|
|
Add Command Line plugin.
|