Skip to content
Permalink
Browse files Browse the repository at this point in the history
- Fixes injection exploit caused by link feature.
  - Example: saying the following to a user of AjaxLife:
    See <a href="http:/&#47;en.wikipedia.org/wiki/Second_Life" onclick="AjaxLife.Network.Send('SendAgentMoney',{Target: 'fa42243d-b76e-49f8-880c-ddc7b5479f78', Amount: 500);" target="_blank">http:/&#47;en.wikipedia.org/wiki/Second_Life</a> for an example.
  • Loading branch information
katharine.berry committed May 18, 2008
1 parent 7f54452 commit 9fb53b6
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion client/AjaxLife.InstantMessage.js
Expand Up @@ -284,7 +284,7 @@ AjaxLife.InstantMessage = function() {
{
if(chats[session] && chats[session].content)
{
text = AjaxLife.Utils.LinkURLs(text);
text = AjaxLife.Utils.LinkURLs(text.escapeHTML());
var line = Ext.get(document.createElement('div'));
line.addClass(["agentmessage","chatline"]);
var timestamp = Ext.get(document.createElement('span'));
Expand Down
2 changes: 1 addition & 1 deletion client/AjaxLife.SpatialChat.js
Expand Up @@ -86,7 +86,7 @@ AjaxLife.SpatialChat = function() {
// and a timestamp is calculated in the user's timezone (assuming their computer clock is accurate)
function add(text, sourcetype)
{
text = AjaxLife.Utils.LinkURLs(text);
text = AjaxLife.Utils.LinkURLs(text.escapeHTML());
// Make a div to put this in.
var line = Ext.get(document.createElement('div'));
line.addClass("chatline");
Expand Down

0 comments on commit 9fb53b6

Please sign in to comment.