Skip to content

Commit

Permalink
fix: escape all html in templates
Browse files Browse the repository at this point in the history
  • Loading branch information
@valeriansaliou
valeriansaliou committed Jun 27, 2022
1 parent 6d33ea2 commit 62c6b9a
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 5 deletions.
3 changes: 2 additions & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,8 @@
},
"dependencies": {
"petite-vue": "0.4.x",
"nanoid": "4.0.x"
"nanoid": "4.0.x",
"escape-goat": "4.0.x"
},
"devDependencies": {
"@babel/eslint-parser": "7.18.x",
Expand Down
14 changes: 10 additions & 4 deletions src/messaging/components/message/message.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@
* License: Mozilla Public License v2.0 (MPL v2.0)
*/

// IMPORTS

import { htmlEscape as _e } from "escape-goat";

// CONSTANTS

const INVALID_FALLBACK = "(?)";
Expand Down Expand Up @@ -53,7 +57,7 @@ function Message(message) {
case "text": {
// Text line
type = content.type;
html = content.text.replace(LINE_BREAK_REGEX, "<br>");
html = _e(content.text).replace(LINE_BREAK_REGEX, "<br>");

break;
}
Expand All @@ -67,15 +71,17 @@ function Message(message) {

html = `
<span class="message-file">
<span class="message-file-expander">${content.file.name}</span>
<span class="message-file-expander">
${_e(content.file.name)}
</span>
<a
class="message-file-image"
href="${content.file.url}"
href="${_e(content.file.url)}"
target="_blank"
>
<img
src="${content.file.url}"
src="${_e(content.file.url)}"
width="${imageSize.width || ""}"
height="${imageSize.height || ""}"
alt=""
Expand Down

0 comments on commit 62c6b9a

Please sign in to comment.