compose: HTML-escape errors from server for compose_error.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2025-11-01 04:23:46 +00:00 · 2021-04-09 17:26:13 -07:00
parent 4a3ad0da06
commit c4b60acf9c
2 changed files with 4 additions and 3 deletions
--- a/static/js/compose.js
+++ b/static/js/compose.js
@@ -379,7 +379,7 @@ export function send_message(request = create_message_object()) {
        // If we're not local echo'ing messages, or if this message was not
        // locally echoed, show error in compose box
        if (!locally_echoed) {
-            compose_error(response, $("#compose-textarea"));
+            compose_error(_.escape(response), $("#compose-textarea"));
            return;
        }

@@ -1149,7 +1149,7 @@ export function initialize() {

        function failure(error_msg) {
            clear_invites();
-            compose_error(error_msg, $("#compose-textarea"));
+            compose_error(_.escape(error_msg), $("#compose-textarea"));
            $(event.target).prop("disabled", true);
        }

--- a/static/js/reminder.js
+++ b/static/js/reminder.js
@@ -1,4 +1,5 @@
 import $ from "jquery";
+import _ from "lodash";

 import * as channel from "./channel";
 import * as compose from "./compose";
@@ -96,7 +97,7 @@ export function schedule_message(request = compose.create_message_object()) {
    };
    const error = function (response) {
        $("#compose-textarea").prop("disabled", false);
-        compose.compose_error(response, $("#compose-textarea"));
+        compose.compose_error(_.escape(response), $("#compose-textarea"));
    };
    /* We are adding a disable on compose under this block because we
    want slash commands to be blocking in nature. */