From: Darren <darren@darrenwhitlen.com>
Date: Thu, 10 Apr 2014 12:12:09 +0000 (+0100)
Subject: XSS fix in channel linking (courtesy of dispols)
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=bed14c9c1b93f3ae4a3c309e0c795dff39ac8e0d;p=KiwiIRC.git

XSS fix in channel linking (courtesy of dispols)
---

diff --git a/client/src/views/channel.js b/client/src/views/channel.js
index db2122f..24f9397 100644
--- a/client/src/views/channel.js
+++ b/client/src/views/channel.js
@@ -74,7 +74,7 @@ _kiwi.view.Channel = _kiwi.view.Panel.extend({
         if ((network = this.model.get('network'))) {
             re = new RegExp('(?:^|\\s)([' + escapeRegex(network.get('channel_prefix')) + '][^ ,\\007]+)', 'g');
             msg.msg = msg.msg.replace(re, function (match) {
-                return '<a class="chan" data-channel="' + match.trim() + '">' + match + '</a>';
+                return '<a class="chan" data-channel="' + _.escape(match.trim()) + '">' + _.escape(match.trim()) + '</a>';
             });
         }