Escape incoming messages before any processes to avoid any malicious …

…hijinks
kandanapp · Apr 12, 2012 · df9783e · df9783e
1 parent 75990f8
commit df9783e
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/app/assets/javascripts/backbone/views/show_activity.js.coffee b/app/assets/javascripts/backbone/views/show_activity.js.coffee
@@ -7,6 +7,7 @@ class Kandan.Views.ShowActivity extends Backbone.View
     activity = @options.activity.toJSON()
     activity.created_at = Kandan.Helpers.Utils.time_to_string(new Date(activity.created_at))
     console.log("Rendering activity:")
+    activity.content = _.escape(activity.content)
     console.log(activity)
     if activity.action != "message"
       @compiled_template = JST['user_notification']({activity: activity})