diff options
author | Douwe Maan <douwe@gitlab.com> | 2018-01-31 21:48:18 +0000 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2018-02-09 12:13:44 -0600 |
commit | 603fa7c14193d37e3953225501d2108f0c581df5 (patch) | |
tree | bbaa12a41c577dbcb7e4cd1772df7fd2f2156d8e /app/assets/javascripts | |
parent | 5e9e56924a56dcb84c3ae4ae6fc308f635f39f66 (diff) | |
download | gitlab-ce-603fa7c14193d37e3953225501d2108f0c581df5.tar.gz |
Merge branch 'fix-mermaid-xss' into 'security-10-4'
[10.4] Fix stored XSS in code blocks
Diffstat (limited to 'app/assets/javascripts')
-rw-r--r-- | app/assets/javascripts/render_mermaid.js | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/app/assets/javascripts/render_mermaid.js b/app/assets/javascripts/render_mermaid.js index 31c7a772cf4..d4f18955bd2 100644 --- a/app/assets/javascripts/render_mermaid.js +++ b/app/assets/javascripts/render_mermaid.js @@ -30,6 +30,9 @@ export default function renderMermaid($els) { $els.each((i, el) => { const source = el.textContent; + // Remove any extra spans added by the backend syntax highlighting. + Object.assign(el, { textContent: source }); + mermaid.init(undefined, el, (id) => { const svg = document.getElementById(id); |