From c4b60acf9c27a7d58bfcbc6bb9f36dbfac116ca8 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Fri, 9 Apr 2021 17:26:13 -0700 Subject: [PATCH] compose: HTML-escape errors from server for compose_error. Signed-off-by: Anders Kaseorg --- static/js/compose.js | 4 ++-- static/js/reminder.js | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/static/js/compose.js b/static/js/compose.js index 83e8ddc1d8..dfbab1700e 100644 --- a/static/js/compose.js +++ b/static/js/compose.js @@ -379,7 +379,7 @@ export function send_message(request = create_message_object()) { // If we're not local echo'ing messages, or if this message was not // locally echoed, show error in compose box if (!locally_echoed) { - compose_error(response, $("#compose-textarea")); + compose_error(_.escape(response), $("#compose-textarea")); return; } @@ -1149,7 +1149,7 @@ export function initialize() { function failure(error_msg) { clear_invites(); - compose_error(error_msg, $("#compose-textarea")); + compose_error(_.escape(error_msg), $("#compose-textarea")); $(event.target).prop("disabled", true); } diff --git a/static/js/reminder.js b/static/js/reminder.js index a920d0ee3d..600ad575be 100644 --- a/static/js/reminder.js +++ b/static/js/reminder.js @@ -1,4 +1,5 @@ import $ from "jquery"; +import _ from "lodash"; import * as channel from "./channel"; import * as compose from "./compose"; @@ -96,7 +97,7 @@ export function schedule_message(request = compose.create_message_object()) { }; const error = function (response) { $("#compose-textarea").prop("disabled", false); - compose.compose_error(response, $("#compose-textarea")); + compose.compose_error(_.escape(response), $("#compose-textarea")); }; /* We are adding a disable on compose under this block because we want slash commands to be blocking in nature. */