0
0
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2024-11-25 13:52:50 +01:00

Correctly escape within tribute.js (#20831)

When writing html in tribute.js ensure that strings are properly escaped.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2022-08-17 20:43:53 +01:00 committed by GitHub
parent c138e76c1c
commit 87ca739a3f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -1,5 +1,6 @@
import {emojiKeys, emojiHTML, emojiString} from './emoji.js';
import {uniq} from '../utils.js';
import {htmlEscape} from 'escape-goat';
function makeCollections({mentions, emoji}) {
const collections = [];
@ -24,7 +25,7 @@ function makeCollections({mentions, emoji}) {
return emojiString(item.original);
},
menuItemTemplate: (item) => {
return `<div class="tribute-item">${emojiHTML(item.original)}<span>${item.original}</span></div>`;
return `<div class="tribute-item">${emojiHTML(item.original)}<span>${htmlEscape(item.original)}</span></div>`;
}
});
}
@ -36,9 +37,9 @@ function makeCollections({mentions, emoji}) {
menuItemTemplate: (item) => {
return `
<div class="tribute-item">
<img src="${item.original.avatar}"/>
<span class="name">${item.original.name}</span>
${item.original.fullname && item.original.fullname !== '' ? `<span class="fullname">${item.original.fullname}</span>` : ''}
<img src="${htmlEscape(item.original.avatar)}"/>
<span class="name">${htmlEscape(item.original.name)}</span>
${item.original.fullname && item.original.fullname !== '' ? `<span class="fullname">${htmlEscape(item.original.fullname)}</span>` : ''}
</div>
`;
}