fixed XSS - escape user display names

mackuba · Oct 11, 2023 · aa2bf46 · aa2bf46
1 parent 6c67eef
commit aa2bf46
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/post_component.js b/post_component.js
@@ -146,7 +146,7 @@ class PostComponent {
 
     let h = document.createElement('h2');
 
-    h.innerHTML = `${this.authorName} ` +
+    h.innerHTML = `${escapeHTML(this.authorName)} ` +
       `<a class="handle" href="${this.linkToAuthor}" target="_blank">@${this.post.author.handle}</a> ` +
       `<span class="separator">&bull;</span> ` +
       `<a class="time" href="${this.linkToPost}" target="_blank" title="${isoTime}">${formattedTime}</a> `;

diff --git a/utils.js b/utils.js
@@ -20,6 +20,12 @@ class AtURI {
   }
 }
 
+function escapeHTML(html) {
+  return html.replace(/&/g, '&amp;')
+             .replace(/</g, '&lt;')
+             .replace(/>/g,'&gt;');
+}
+
 function getLocation() {
   return location.origin + location.pathname;
 }