escape userId before setting it as HTML attribute

2025-04-22 16:36:15 -04:00 · 2021-04-06 12:52:04 +02:00 · 2021-04-06 12:52:04 +02:00 · a796811558
commit a796811558
parent 9408d4395f
1 changed files with 1 additions and 0 deletions
--- a/src/static/js/chat.js
+++ b/src/static/js/chat.js
@ -129,6 +129,7 @@ exports.chat = (() => {
            'Replacing with "unknown". This may be a bug or a database corruption.');
      }

+      msg.userId = padutils.escapeHtml(msg.userId);
      const authorClass = `author-${msg.userId.replace(/[^a-y0-9]/g, (c) => {
        if (c === '.') return '-';
        return `z${c.charCodeAt(0)}z`;