Merge pull request #1 from Asjidkalam/master

Merging fix - on-behalf of @Asjidkalam, executed by huntr.dev (030-js-mavonEditor).
hinesboy · Mar 7, 2020 · 7177af3 · 7177af3
2 parents a47efeb + b19a577
commit 7177af3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/package.json b/package.json
@@ -29,7 +29,8 @@
   "homepage": "https://github.com/hinesboy/mavonEditor#readme",
   "dependencies": {
     "highlight.js": "^9.11.0",
-    "highlight.js-async-webpack": "^1.0.4"
+    "highlight.js-async-webpack": "^1.0.4",
+    "xss": "^1.0.6"
   },
   "devDependencies": {
     "auto-textarea": "^1.4.0",
@@ -110,4 +111,4 @@
     "webpack-dev-server": "^2.11.5",
     "webpack-md5-hash": "^0.0.5"
   }
-}
+}
diff --git a/src/mavon-editor.vue b/src/mavon-editor.vue
@@ -93,6 +93,7 @@ import {autoTextarea} from 'auto-textarea'
 import {keydownListen} from './lib/core/keydown-listen.js'
 import hljsCss from './lib/core/hljs/lang.hljs.css.js'
 import hljsLangs from './lib/core/hljs/lang.hljs.js'
+const xss = require('xss');
 import {
     fullscreenchange,
    /* windowResize, */
@@ -659,6 +660,9 @@ export default {
             this.iRender();
         },
         value: function (val, oldVal) {
+            // Escaping all XSS characters
+            val = xss(val);
+
             if (val !== this.d_value) {
                 this.d_value = val
             }