-
Show log
Commit
-
Hash : 17e33bc0
Author :
Date : 2016-11-20T12:52:54
Reduce risk of XSS (#1051) * Skip non-own properties of env.attributes Use `Object.keys` instead of a for-in loop to find optional attributes. The former only grabs keys that are own properties, the latter also includes inherit properties from `Object.prototype`. This reduces the risk of XSS if an attacker somehow manages to manipulate the prototype chain of the Object prototype. * Fix root cause of XSS in autolinker plugin #1054 * command-line plugin: Safely encode attributes If an attacker has control over the values of the attributes "data-prompt", "data-user", or "data-host", then XSS was possible. This fixes the issue, by encoding quotes as the `"` entity. * show-language plugin: innerHTML -> textContent There is no need for `innerHTML` here. At best nothing happens, at worst XSS is possible (though the odds are negligible since the attacker would have to control the detected language). * toolbar plugin: innerHTML -> textContent
-
Properties
-
Git HTTP https://git.kmx.io/kmx.io/prism.js.git Git SSH git@git.kmx.io:kmx.io/prism.js.git Public access ? public Description Lightweight, robust, elegant syntax highlighting.
Users
Tags