prevent XSS attack in issue and pull request message ・ 22b4045 ・ Gitprep

+8 -4

lib/Gitprep/API.pm

@@ -113,13 +113,17 @@ sub add_issue_message {
 }
 
 sub markdown {
-  my ($self, $text) = @_;
+  my ($self, $markdown_text) = @_;
 
-  my $text_e = Text::Markdown::Hoedown::markdown(
-    $text, extensions => HOEDOWN_EXT_FENCED_CODE|HOEDOWN_EXT_TABLES|HOEDOWN_EXT_NO_INTRA_EMPHASIS
+  # Remove script tags
+  $markdown_text =~ s/\<\s*script\s*.*?\>//g;
+  $markdown_text =~ s/\<\s*\/\s*script\s*.*?\>//g;
+
+  my $html_text = Text::Markdown::Hoedown::markdown(
+    $markdown_text, extensions => HOEDOWN_EXT_FENCED_CODE|HOEDOWN_EXT_TABLES|HOEDOWN_EXT_NO_INTRA_EMPHASIS
   );
   
-  return $text_e;
+  return $html_text;
 }
 
 sub age_string {

...	...	@@ -113,13 +113,17 @@ sub add_issue_message {
113	113	}
114	114
115	115	sub markdown {
116		- my ($self, $text) = @_;
	116	+ my ($self, $markdown_text) = @_;
117	117
118		- my $text_e = Text::Markdown::Hoedown::markdown(
119		- $text, extensions => HOEDOWN_EXT_FENCED_CODE\|HOEDOWN_EXT_TABLES\|HOEDOWN_EXT_NO_INTRA_EMPHASIS
	118	+ # Remove script tags
	119	+ $markdown_text =~ s/\<\sscript\s.*?\>//g;
	120	+ $markdown_text =~ s/\<\s\/\sscript\s.?\>//g;
	121	+
	122	+ my $html_text = Text::Markdown::Hoedown::markdown(
	123	+ $markdown_text, extensions => HOEDOWN_EXT_FENCED_CODE\|HOEDOWN_EXT_TABLES\|HOEDOWN_EXT_NO_INTRA_EMPHASIS
120	124	);
121	125
122		- return $text_e;
	126	+ return $html_text;
123	127	}
124	128
125	129	sub age_string {