7 лет назад · ebf9199625
--- a/lib/crowi/index.js
+++ b/lib/crowi/index.js
@@ -1,7 +1,7 @@
 
				 'use strict';
			
 
				 
			
 
				 
			
 
				-var debug = require('debug')('growi:crowi')
			
 
				+const debug = require('debug')('growi:crowi')
			
 
				   , logger = require('@alias/logger')('growi:crowi')
			
 
				   , pkg = require('@root/package.json')
			
 
				   , path = require('path')
			
@@ -10,10 +10,12 @@ var debug = require('debug')('growi:crowi')
 
				   , mongoose    = require('mongoose')
			
 
				 
			
 
				   , models = require('../models')
			
 
				+
			
 
				+  , Xss = require('../util/xss')
			
 
				   ;
			
 
				 
			
 
				 function Crowi(rootdir, env) {
			
 
				-  var self = this;
			
 
				+  const self = this;
			
 
				 
			
 
				   this.version = pkg.version;
			
 
				   this.runtimeVersions = undefined;   // initialized by scanRuntimeVersions()
			
@@ -35,6 +37,7 @@ function Crowi(rootdir, env) {
 
				   this.mailer = {};
			
 
				   this.interceptorManager = {};
			
 
				   this.passportService = null;
			
 
				+  this.xss = new Xss();
			
 
				 
			
 
				   this.tokens = null;
			
 
				 
			
--- a/lib/models/config.js
+++ b/lib/models/config.js
@@ -461,9 +461,12 @@ module.exports = function(crowi) {
 
				       customTitle = '{{page}} - {{sitename}}';
			
 
				     }
			
 
				 
			
 
				-    return customTitle
			
 
				+    // replace
			
 
				+    customTitle = customTitle
			
 
				       .replace('{{sitename}}', this.appTitle(config))
			
 
				       .replace('{{page}}', page);
			
 
				+
			
 
				+    return crowi.xss.process(customTitle);
			
 
				   };
			
 
				 
			
 
				   configSchema.statics.behaviorType = function(config) {
			
--- a/lib/util/swigFunctions.js
+++ b/lib/util/swigFunctions.js
@@ -45,8 +45,8 @@ module.exports = function(crowi, app, req, locals) {
 
				    * return app title
			
 
				    */
			
 
				   locals.appTitle = function() {
			
 
				-    var config = crowi.getConfig();
			
 
				-    return Config.appTitle(config);
			
 
				+    const config = crowi.getConfig();
			
 
				+    return crowi.xss.process(Config.appTitle(config));
			
 
				   };
			
 
				 
			
 
				   /**
			
--- a/lib/util/xss.js
+++ b/lib/util/xss.js
@@ -3,8 +3,10 @@ class Xss {
 
				   constructor(xssOption) {
			
 
				     const xss = require('xss');
			
 
				 
			
 
				-    const tagWhiteList = xssOption.tagWhiteList;
			
 
				-    const attrWhiteList = xssOption.attrWhiteList;
			
 
				+    xssOption = xssOption || {};
			
 
				+
			
 
				+    const tagWhiteList = xssOption.tagWhiteList || [];
			
 
				+    const attrWhiteList = xssOption.attrWhiteList || [];
			
 
				 
			
 
				     let whiteListContent = {};
			
 
				 
			
@@ -25,8 +27,8 @@ class Xss {
 
				     this.myxss = new xss.FilterXSS(option);
			
 
				   }
			
 
				 
			
 
				-  process(markdown) {
			
 
				-    return this.myxss.process(markdown);
			
 
				+  process(document) {
			
 
				+    return this.myxss.process(document);
			
 
				   }
			
 
				 
			
 
				 }