libretic
/
etherpad-lite
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

escape userId before setting it as HTML attribute

This commit is contained in:
webzwo0i 2021-04-06 12:52:04 +02:00 committed by Richard Hansen
parent 9408d4395f
commit a796811558
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/static/js/chat.js
View File

@ -129,6 +129,7 @@ exports.chat = (() => {
'Replacing with "unknown". This may be a bug or a database corruption.');
}
msg.userId = padutils.escapeHtml(msg.userId);
const authorClass = `author-${msg.userId.replace(/[^a-y0-9]/g, (c) => {
if (c === '.') return '-';
return `z${c.charCodeAt(0)}z`;