paulmataruso/zulip-desktop
1
0
Fork 0
mirror of https://github.com/zulip/zulip-desktop.git synced 2025-11-04 05:53:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: Use proper method to escape html.

Browse Source 
Now using the `escape-html` module so that we can decode
the realm description properly and escape the html at the
same time. The encodeURIComponent function doesn't
provide this kind of flexibility. We need to decode the
real description properly since we show the same in the
tooltip and setting page.
This commit is contained in:
Akash Nimare
2018-05-21 03:11:03 +05:30
parent 14c59bdae1
commit dbe89cdd09
4 changed files with 88 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/renderer/js/utils/domain-util.js
View File

@@ -5,6 +5,8 @@ const fs = require('fs');
const path = require('path');
const JsonDB = require('node-json-db');
const request = require('request');
const escape = require('escape-html');
const Logger = require('./logger-util');
const logger = new Logger({
@@ -188,7 +190,7 @@ class DomainUtil {
// Following check handles both the cases
icon: data.realm_icon.startsWith('/') ? data.realm_uri + data.realm_icon : data.realm_icon,
url: data.realm_uri,
alias: encodeURIComponent(data.realm_name)
alias: escape(data.realm_name)
});
}
} else {