public-offering
/
pad.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chat: Ensure that `ctx.text` is interpreted as HTML

pull/5002/head
Richard Hansen 2021-04-08 23:39:44 -04:00 committed by webzwo0i
parent a3a0ff7bc1
commit d01b593d3c
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/static/js/chat.js
View File

@ -194,7 +194,7 @@ exports.chat = (() => {
.append($('<span>').addClass('author-name').text(ctx.authorName)) .append($('<span>').addClass('author-name').text(ctx.authorName))
// ctx.text was HTML-escaped before calling the hook. Hook functions are trusted // ctx.text was HTML-escaped before calling the hook. Hook functions are trusted
// to not introduce an XSS vulnerability by adding unescaped user input. // to not introduce an XSS vulnerability by adding unescaped user input.
.append(ctx.text), .append($('<div>').html(ctx.text).contents()),
sticky: ctx.sticky, sticky: ctx.sticky,
time: 5000, time: 5000,
position: 'bottom', position: 'bottom',