From c67de46d6cee08f10d65984746fe5a153f02bd27 Mon Sep 17 00:00:00 2001
From: Pseudochu <pseudochu@gmail.com>
Date: Fri, 13 Jun 2014 20:08:20 +0300
Subject: [PATCH] Patching XSS vulnerability

The following message produces a clickable link that triggers JavaScript when clicked (pre-patch):
javascript://www.google.com/?%0Aalert(0);

Patch was designed to prevent this while maintaining support for arbitrary link protocols.
---
 client/src/views/channel.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/client/src/views/channel.js b/client/src/views/channel.js
index 3819ddf..5c83320 100644
--- a/client/src/views/channel.js
+++ b/client/src/views/channel.js
@@ -88,6 +88,10 @@ _kiwi.view.Channel = _kiwi.view.Panel.extend({
             var nice = url,
                 extra_html = '';
 
+            if (url.match(/^javascript:/)) {
+                return url;
+            }
+
             // Add the http if no protoocol was found
             if (url.match(/^www\./)) {
                 url = 'http://' + url;
-- 
2.25.1