projects / KiwiIRC.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d073421)
XSS fix in channel linking (courtesy of dispols)
authorDarren <darren@darrenwhitlen.com>
Thu, 10 Apr 2014 12:12:09 +0000 (13:12 +0100)
committerDarren <darren@darrenwhitlen.com>
Thu, 10 Apr 2014 12:12:09 +0000 (13:12 +0100)
client/src/views/channel.js patch | blob | blame | history

diff --git a/client/src/views/channel.js b/client/src/views/channel.js
index db2122f7882886f76c4eb36841bb431d4018623e..24f9397508ec1968d9cc71b5e4d1665606b98d8f 100644 (file)
--- a/client/src/views/channel.js
+++ b/client/src/views/channel.js
@@ -74,7 +74,7 @@ _kiwi.view.Channel = _kiwi.view.Panel.extend({
         if ((network = this.model.get('network'))) {
             re = new RegExp('(?:^|\\s)([' + escapeRegex(network.get('channel_prefix')) + '][^ ,\\007]+)', 'g');
             msg.msg = msg.msg.replace(re, function (match) {
-                return '<a class="chan" data-channel="' + match.trim() + '">' + match + '</a>';
+                return '<a class="chan" data-channel="' + _.escape(match.trim()) + '">' + _.escape(match.trim()) + '</a>';
             });
         }