FIX: XSS bug using jquery html() #375

lib/simditor.js

@@ -1,7 +1,7 @@
 /*!
 * Simditor v2.3.5
 * http://simditor.tower.im/
-* 2015-11-26
+* 2015-12-20
 */
 (function (root, factory) {
   if (typeof define === 'function' && define.amd) {
@@ -1430,7 +1430,7 @@ UndoManager = (function(superClass) {
     this.editor.hidePopover();
     this._index -= 1;
     state = this._stack[this._index];
-    this.editor.body.html(state.html);
+    this.editor.body.get(0).innerHTML = state.html;
     this.caretPosition(state.caret);
     this.editor.body.find('.selected').removeClass('selected');
     this.editor.sync();
@@ -1445,7 +1445,7 @@ UndoManager = (function(superClass) {
     this.editor.hidePopover();
     this._index += 1;
     state = this._stack[this._index];
-    this.editor.body.html(state.html);
+    this.editor.body.get(0).innerHTML = state.html;
     this.caretPosition(state.caret);
     this.editor.body.find('.selected').removeClass('selected');
     this.editor.sync();
@@ -2296,7 +2296,7 @@ Clipboard = (function(superClass) {
       return function() {
         var pasteContent;
         _this.editor.hidePopover();
-        _this.editor.body.html(state.html);
+        _this.editor.body.get(0).innerHTML = state.html;
         _this.editor.undoManager.caretPosition(state.caret);
         _this.editor.body.focus();
         _this.editor.selection.reset();
@@ -2569,7 +2569,7 @@ Simditor = (function(superClass) {
   Simditor.prototype.setValue = function(val) {
     this.hidePopover();
     this.textarea.val(val);
-    this.body.html(val);
+    this.body.get(0).innerHTML = val;
     this.formatter.format();
     this.formatter.decorate();
     this.util.reflow(this.body);
@@ -2683,8 +2683,8 @@ Simditor.i18n = {
     'linkText': '链接文字',
     'linkUrl': '链接地址',
     'linkTarget': '打开方式',
-    'openLinkInCurrentWindow': '在当前窗口中打开',
-    'openLinkInNewWindow': '在新窗口中打开',
+    'openLinkInCurrentWindow': '在新窗口中打开',
+    'openLinkInNewWindow': '在当前窗口中打开',
     'removeLink': '移除链接',
     'ol': '有序列表',
     'ul': '无序列表',

site/assets/scripts/simditor.js

@@ -1425,7 +1425,7 @@ UndoManager = (function(superClass) {
     this.editor.hidePopover();
     this._index -= 1;
     state = this._stack[this._index];
-    this.editor.body.html(state.html);
+    this.editor.body.get(0).innerHTML = state.html;
     this.caretPosition(state.caret);
     this.editor.body.find('.selected').removeClass('selected');
     this.editor.sync();
@@ -1440,7 +1440,7 @@ UndoManager = (function(superClass) {
     this.editor.hidePopover();
     this._index += 1;
     state = this._stack[this._index];
-    this.editor.body.html(state.html);
+    this.editor.body.get(0).innerHTML = state.html;
     this.caretPosition(state.caret);
     this.editor.body.find('.selected').removeClass('selected');
     this.editor.sync();
@@ -2291,7 +2291,7 @@ Clipboard = (function(superClass) {
       return function() {
         var pasteContent;
         _this.editor.hidePopover();
-        _this.editor.body.html(state.html);
+        _this.editor.body.get(0).innerHTML = state.html;
         _this.editor.undoManager.caretPosition(state.caret);
         _this.editor.body.focus();
         _this.editor.selection.reset();
@@ -2564,7 +2564,7 @@ Simditor = (function(superClass) {
   Simditor.prototype.setValue = function(val) {
     this.hidePopover();
     this.textarea.val(val);
-    this.body.html(val);
+    this.body.get(0).innerHTML = val;
     this.formatter.format();
     this.formatter.decorate();
     this.util.reflow(this.body);

site/demo.html

@@ -5,7 +5,7 @@
 ---
 
 <section id="page-demo">
-  <textarea id="txt-content" data-autosave="editor-content" autofocus></textarea>
+  <textarea id="txt-content" data-autosave="editor-content" autofocus>&lt;script&gt;console.log('txt2')&lt;/script&gt;</textarea>
   <div id="preview"></div>
 </section>
 

src/clipboard.coffee

@@ -77,7 +77,7 @@ class Clipboard extends SimpleModule
 
     setTimeout =>
       @editor.hidePopover()
-      @editor.body.html state.html
+      @editor.body.get(0).innerHTML = state.html
       @editor.undoManager.caretPosition state.caret
       @editor.body.focus()
       @editor.selection.reset()

src/core.coffee

@@ -122,7 +122,7 @@ class Simditor extends SimpleModule
   setValue: (val) ->
     @hidePopover()
     @textarea.val val
-    @body.html val
+    @body.get(0).innerHTML = val
 
     @formatter.format()
     @formatter.decorate()

src/undoManager.coffee

@@ -109,7 +109,7 @@ class UndoManager extends SimpleModule
     @_index -= 1
 
     state = @_stack[@_index]
-    @editor.body.html state.html
+    @editor.body.get(0).innerHTML = state.html
     @caretPosition state.caret
     @editor.body.find('.selected').removeClass('selected')
     @editor.sync()
@@ -124,7 +124,7 @@ class UndoManager extends SimpleModule
     @_index += 1
 
     state = @_stack[@_index]
-    @editor.body.html state.html
+    @editor.body.get(0).innerHTML = state.html
     @caretPosition state.caret
     @editor.body.find('.selected').removeClass('selected')
     @editor.sync()

styles/simditor.css

@@ -1,7 +1,7 @@
 /*!
 * Simditor v2.3.5
 * http://simditor.tower.im/
-* 2015-11-26
+* 2015-12-20
 */
 @font-face {
   font-family: 'Simditor';