mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 07:35:05 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 27

escape userId before setting it as HTML attribute

Browse source
This commit is contained in:
webzwo0i 2021-04-06 12:52:04 +02:00 committed by Richard Hansen
parent 9408d4395f
commit a796811558
1 changed files with 1 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/static/js/chat.js
View file

@ -129,6 +129,7 @@ exports.chat = (() => {
'Replacing with "unknown". This may be a bug or a database corruption.'); 'Replacing with "unknown". This may be a bug or a database corruption.');
} }
msg.userId = padutils.escapeHtml(msg.userId);
const authorClass = `author-${msg.userId.replace(/[^a-y0-9]/g, (c) => { const authorClass = `author-${msg.userId.replace(/[^a-y0-9]/g, (c) => {
if (c === '.') return '-'; if (c === '.') return '-';
return `z${c.charCodeAt(0)}z`; return `z${c.charCodeAt(0)}z`;