Merge pull request #2 from zhsj/fix-xss

inacho · inacho · commit 53592acaa767 · 2015-05-10T12:59:16.000+02:00
Escape HTML
diff --git a/src/bootstrap-markdown-editor.js b/src/bootstrap-markdown-editor.js
@@ -369,7 +369,7 @@
             html += '</div>'; // .btn-toolbar
         html += '</div>'; // .md-toolbar
 
-        html += '<div class="md-editor">' + $.trim(content) + '</div>';
+        html += '<div class="md-editor">' + $('<div>').text($.trim(content)).html() + '</div>';
         html += '<div class="md-preview" style="display:none"></div>';
 
         return html;
