From 746416207bd15f7883af18e359b84f0c4444a12a Mon Sep 17 00:00:00 2001 From: rinpatch Date: Thu, 30 Jan 2020 19:55:01 +0300 Subject: [PATCH] Escape HTML from display name and subject fields Closes #724 --- package.json | 1 + src/services/entity_normalizer/entity_normalizer.service.js | 6 ++++-- yarn.lock | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 9ec8c1eb..5c7fa31e 100644 --- a/package.json +++ b/package.json @@ -21,6 +21,7 @@ "chromatism": "^3.0.0", "cropperjs": "^1.4.3", "diff": "^3.0.1", + "escape-html": "^1.0.3", "karma-mocha-reporter": "^2.2.1", "localforage": "^1.5.0", "object-path": "^0.11.3", diff --git a/src/services/entity_normalizer/entity_normalizer.service.js b/src/services/entity_normalizer/entity_normalizer.service.js index a3d0b782..3116d211 100644 --- a/src/services/entity_normalizer/entity_normalizer.service.js +++ b/src/services/entity_normalizer/entity_normalizer.service.js @@ -1,3 +1,5 @@ +import escape from 'escape-html' + const qvitterStatusType = (status) => { if (status.is_post_verb) { return 'status' @@ -41,7 +43,7 @@ export const parseUser = (data) => { } output.name = data.display_name - output.name_html = addEmojis(data.display_name, data.emojis) + output.name_html = addEmojis(escape(data.display_name), data.emojis) output.description = data.note output.description_html = addEmojis(data.note, data.emojis) @@ -256,7 +258,7 @@ export const parseStatus = (data) => { output.retweeted_status = parseStatus(data.reblog) } - output.summary_html = addEmojis(data.spoiler_text, data.emojis) + output.summary_html = addEmojis(escape(data.spoiler_text), data.emojis) output.external_url = data.url output.poll = data.poll output.pinned = data.pinned diff --git a/yarn.lock b/yarn.lock index 1a5d4cef..b794042f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2757,9 +2757,10 @@ es6-promisify@^5.0.0: dependencies: es6-promise "^4.0.3" -escape-html@~1.0.3: +escape-html@^1.0.3, escape-html@~1.0.3: version "1.0.3" resolved "https://registry.yarnpkg.com/escape-html/-/escape-html-1.0.3.tgz#0258eae4d3d0c0974de1c169188ef0051d1d1988" + integrity sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg= escape-string-regexp@1.0.5, escape-string-regexp@^1.0.2, escape-string-regexp@^1.0.5: version "1.0.5"