git ssb - Escape content from messages put into innerHTML

cel committed on 8/31/2018, 8:24:09 PM
Parent: 2e582bd1dc0e9a6709bc4eab94124e250aa64945

changed

render.jsView
		@@ -125,9 +125,9 @@
125	125	);
126	126	}
127	127
128	128	var figCaption = h('figcaption');
129		- figCaption.innerHTML = 'Feed of ' + about.name + '<br>' + marked(String(about.description \|\| ''), opts.marked);
	129	+ figCaption.innerHTML = 'Feed of ' + escape(about.name) + '<br>' + marked(String(about.description \|\| ''), opts.marked);
130	130	return pull(
131	131	pull.map(renderMsg.bind(this, opts, '')),
132	132	wrap(toolTipTop() + '<main>' +
133	133	h('article',
		@@ -491,12 +491,12 @@
491	491	}
492	492	else if (c.type == "git-update") {
493	493	var s = h('span.status');
494	494	s.innerHTML = "Did a git update " +
495		- (c.repoName != undefined ? " in repo " + c.repoName : "") +
	495	+ (c.repoName != undefined ? " in repo " + escape(c.repoName) : "") +
496	496	'<br>' +
497	497	(c.commits != undefined ?
498		- c.commits.map(com => { return "-" +com.title; }).join('<br>') : "");
	498	+ c.commits.map(com => { return "-" +escape(com.title); }).join('<br>') : "");
499	499	return s;
500	500	}
501	501	else if (c.type == "ssb-dns") {
502	502	return [h('span.status', 'Updated DNS'), renderDefault(c)];

Daan Patchwork / ssb-viewer