paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-04 14:03:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

copy_and_paste: Fix CSS selector injection bug.

Browse Source 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg
2024-05-14 12:17:39 -07:00
committed by Tim Abbott
parent 6914d3151d
commit 2e776bf8dc
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
web/src/copy_and_paste.js
View File

@@ -425,7 +425,9 @@ export function paste_handler_converter(paste_html) {
const copied_html = new DOMParser().parseFromString(paste_html, "text/html");
if (
!copied_html
.querySelector("a[href='" + node.firstChild.getAttribute("href") + "']")
.querySelector(
"a[href='" + CSS.escape(node.firstChild.getAttribute("href")) + "']",
)
?.parentNode?.classList.contains("message_inline_image")
) {
// We skip previews which have their generating link copied too, to avoid