~dricottone/blog: Simple HTML sanitization

360e020f286673ef32cd7a32f4454f4b46a5fd5c — Dominic Ricottone 2 years ago 2cca9b0

Simple HTML sanitization

patch browse .tar.gz

1 files changed, 6 insertions(+), 2 deletions(-)

M static/js/chat.js

M static/js/chat.js => static/js/chat.js +6 -2

@@ 62,6 62,10 @@ async function decrypt(blob) {
   }
 };
 
+function escapeHTML(str) {
+  return str.replaceAll('&', '&amp;').replaceAll('<', '&lt;').replaceAll('>', '&gt;').replaceAll('"', '&quot;').replaceAll("'", '&apos;');
+};
+
 // initialize passkey to null
 var passkey;
 


@@ 76,10 80,10 @@ function connect() {
   socket.onmessage = async (m) => {
     const el = document.createElement('li');
     if (passkey == null) {
-      el.innerHTML = m.data;
+      el.innerHTML = escapeHTML(m.data);
     } else {
       const decrypted = await decrypt(m.data);
-      el.innerHTML = decrypted;
+      el.innerHTML = escapeHTML(decrypted);
     }
     document.getElementById('chat-room').appendChild(el);
   };