From bed14c9c1b93f3ae4a3c309e0c795dff39ac8e0d Mon Sep 17 00:00:00 2001
From: Darren <darren@darrenwhitlen.com>
Date: Thu, 10 Apr 2014 13:12:09 +0100
Subject: [PATCH] XSS fix in channel linking (courtesy of dispols)

---
 client/src/views/channel.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/src/views/channel.js b/client/src/views/channel.js
index db2122f..24f9397 100644
--- a/client/src/views/channel.js
+++ b/client/src/views/channel.js
@@ -74,7 +74,7 @@ _kiwi.view.Channel = _kiwi.view.Panel.extend({
         if ((network = this.model.get('network'))) {
             re = new RegExp('(?:^|\\s)([' + escapeRegex(network.get('channel_prefix')) + '][^ ,\\007]+)', 'g');
             msg.msg = msg.msg.replace(re, function (match) {
-                return '<a class="chan" data-channel="' + match.trim() + '">' + match + '</a>';
+                return '<a class="chan" data-channel="' + _.escape(match.trim()) + '">' + _.escape(match.trim()) + '</a>';
             });
         }
 
-- 
2.25.1