From 360e020f286673ef32cd7a32f4454f4b46a5fd5c Mon Sep 17 00:00:00 2001
From: Dominic Ricottone <me@dominic-ricottone.com>
Date: Wed, 12 Jan 2022 08:56:46 -0600
Subject: [PATCH] Simple HTML sanitization

---
 static/js/chat.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/static/js/chat.js b/static/js/chat.js
index 7d48afd..6736b56 100644
--- a/static/js/chat.js
+++ b/static/js/chat.js
@@ -62,6 +62,10 @@ async function decrypt(blob) {
   }
 };
 
+function escapeHTML(str) {
+  return str.replaceAll('&', '&amp;').replaceAll('<', '&lt;').replaceAll('>', '&gt;').replaceAll('"', '&quot;').replaceAll("'", '&apos;');
+};
+
 // initialize passkey to null
 var passkey;
 
@@ -76,10 +80,10 @@ function connect() {
   socket.onmessage = async (m) => {
     const el = document.createElement('li');
     if (passkey == null) {
-      el.innerHTML = m.data;
+      el.innerHTML = escapeHTML(m.data);
     } else {
       const decrypted = await decrypt(m.data);
-      el.innerHTML = decrypted;
+      el.innerHTML = escapeHTML(decrypted);
     }
     document.getElementById('chat-room').appendChild(el);
   };
-- 
2.45.2