From a7968115581e20ef47a533e030f59f830486bdfa Mon Sep 17 00:00:00 2001
From: webzwo0i <webzwo0i@c3d2.de>
Date: Tue, 6 Apr 2021 12:52:04 +0200
Subject: [PATCH] escape userId before setting it as HTML attribute

---
 src/static/js/chat.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/static/js/chat.js b/src/static/js/chat.js
index a3c475616..00811ff44 100755
--- a/src/static/js/chat.js
+++ b/src/static/js/chat.js
@@ -129,6 +129,7 @@ exports.chat = (() => {
             'Replacing with "unknown". This may be a bug or a database corruption.');
       }
 
+      msg.userId = padutils.escapeHtml(msg.userId);
       const authorClass = `author-${msg.userId.replace(/[^a-y0-9]/g, (c) => {
         if (c === '.') return '-';
         return `z${c.charCodeAt(0)}z`;