mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 15:36:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

gritter: Treat strings as text, not HTML

Browse source 
This forces users to use jQuery or DOM objects if they want
formatting, which helps avoid XSS vulnerabilities.
This commit is contained in:
Richard Hansen 2020-10-19 20:48:53 -04:00 committed by John McLear
parent 8463134125
commit a712ce457d
2 changed files with 9 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/static/js/chat.js
View file

@ -193,7 +193,10 @@ var chat = (function()
if(!chatOpen && ctx.duration > 0) {
$.gritter.add({
text: '<span class="author-name">' + ctx.authorName + '</span>' + ctx.text,
// Note: ctx.authorName and ctx.text are already HTML-escaped.
text: $('<p>')
.append($('<span>').addClass('author-name').html(ctx.authorName))
.append(ctx.text),
sticky: ctx.sticky,
time: 5000,
position: 'bottom',