return deferred.promise();
},
+ escapeHTML: function(text) {
+ return text.toString()
+ .split('&').join('&')
+ .split('<').join('<')
+ .split('>').join('>')
+ .split('"').join('"')
+ .split('\'').join(''')
+ },
+
/**
* @param message The message string containing placeholders.
* @param parameters An object with keys as placeholders and values as their replacements.
for (var [placeholder, parameter] of Object.entries(parameters)) {
var replacement;
if (parameter.type === 'user') {
- replacement = '@' + parameter.name;
+ replacement = '@' + this.escapeHTML(parameter.name);
} else if (parameter.type === 'file') {
- replacement = parameter.path || parameter.name;
+ replacement = this.escapeHTML(parameter.path) || this.escapeHTML(parameter.name);
+ } else if (parameter.type === 'highlight') {
+ replacement = '<a href="' + encodeURI(parameter.link) + '">' + this.escapeHTML(parameter.name) + '</a>';
} else {
- replacement = parameter.name;
+ replacement = this.escapeHTML(parameter.name);
}
message = message.replace('{' + placeholder + '}', replacement);
}
}
var message = setupCheck.description;
+ if (message) {
+ message = this.escapeHTML(message)
+ }
if (setupCheck.descriptionParameters) {
message = this.richToParsed(message, setupCheck.descriptionParameters);
}