From 5ba881ba41ccfa7c2c5fa97c282f715147d70dd1 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 17 Jul 2018 15:02:46 +0200
Subject: Do not parse HTML in user id and display name

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 apps/comments/js/commentstabview.js | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

(limited to 'apps/comments/js')

diff --git a/apps/comments/js/commentstabview.js b/apps/comments/js/commentstabview.js
index db38d055af4..8b20bac571b 100644
--- a/apps/comments/js/commentstabview.js
+++ b/apps/comments/js/commentstabview.js
@@ -195,22 +195,26 @@
 					},
 					sorter: function (q, items) { return items; }
 				},
-				displayTpl: '<li>'
-				+ '<span class="avatar-name-wrapper">'
-				+ '<div class="avatar" '
-				+ 'data-username="${id}"'	// for avatars
-				+ ' data-user="${id}"'		// for contactsmenu
-				+ ' data-user-display-name="${label}"></div>'
-				+ ' <strong>${label}</strong>'
-				+ '</span></li>',
-				insertTpl: ''
-				+ '<span class="avatar-name-wrapper">'
-				+ '<div class="avatar" '
-				+ 'data-username="${id}"'	// for avatars
-				+ ' data-user="${id}"'		// for contactsmenu
-				+ ' data-user-display-name="${label}"></div>'
-				+ ' <strong>${label}</strong>'
-				+ '</span>',
+				displayTpl: function (item) {
+					return '<li>'
+						+ '<span class="avatar-name-wrapper">'
+						+ '<div class="avatar" '
+						+ ' data-username="' + escapeHTML(item.id) + '"'	// for avatars
+						+ ' data-user="' + escapeHTML(item.id) + '"'		// for contactsmenu
+						+ ' data-user-display-name="' + escapeHTML(item.label) + '"></div>'
+						+ ' <strong>' + escapeHTML(item.label) + '</strong>'
+						+ '</span></li>';
+				},
+				insertTpl: function (item) {
+					return ''
+						+ '<span class="avatar-name-wrapper">'
+						+ '<div class="avatar" '
+						+ ' data-username="' + escapeHTML(item.id) + '"'	// for avatars
+						+ ' data-user="' + escapeHTML(item.id) + '"'		// for contactsmenu
+						+ ' data-user-display-name="' + escapeHTML(item.label) + '"></div>'
+						+ ' <strong>' + escapeHTML(item.label) + '</strong>'
+						+ '</span>';
+				},
 				searchKey: "label"
 			});
 			$target.on('inserted.atwho', function (je, $el) {
-- 
cgit v1.2.3