Correctly escape within tribute.js (#20831)

When writing html in tribute.js ensure that strings are properly escaped. Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net>
2025-10-31 21:28:11 +09:00 · 2022-08-17 20:43:53 +01:00
parent c138e76c1c
commit 87ca739a3f
1 changed files with 5 additions and 4 deletions
--- a/web_src/js/features/tribute.js
+++ b/web_src/js/features/tribute.js
@@ -1,5 +1,6 @@
 import {emojiKeys, emojiHTML, emojiString} from './emoji.js';
 import {uniq} from '../utils.js';
 import {htmlEscape} from 'escape-goat';
 function makeCollections({mentions, emoji}) {
  const collections = [];
@@ -24,7 +25,7 @@ function makeCollections({mentions, emoji}) {
        return emojiString(item.original);
      },
      menuItemTemplate: (item) => {
-        return `<div class="tribute-item">${emojiHTML(item.original)}<span>${item.original}</span></div>`;
+        return `<div class="tribute-item">${emojiHTML(item.original)}<span>${htmlEscape(item.original)}</span></div>`;
      }
    });
  }
@@ -36,9 +37,9 @@ function makeCollections({mentions, emoji}) {
      menuItemTemplate: (item) => {
        return `
          <div class="tribute-item">
-            <img src="${item.original.avatar}"/>
+            <img src="${htmlEscape(item.original.avatar)}"/>
-            <span class="name">${item.original.name}</span>
+            <span class="name">${htmlEscape(item.original.name)}</span>
-            ${item.original.fullname && item.original.fullname !== '' ? `<span class="fullname">${item.original.fullname}</span>` : ''}
+            ${item.original.fullname && item.original.fullname !== '' ? `<span class="fullname">${htmlEscape(item.original.fullname)}</span>` : ''}
          </div>
        `;
      }