loleaflet/js/toolbar.js | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
New commits:
commit 3084565981d85d5734436c3411266c529ad5d879
Author: Szymon Kłos <szymon.k...@collabora.com>
AuthorDate: Tue Mar 19 10:07:50 2019 +0100
Commit: Szymon Kłos <szymon.k...@collabora.com>
CommitDate: Tue Mar 19 10:51:47 2019 +0100
Escape username
In case of guest users it was possible to inject html.
Change-Id: I642de3efa0fa03cd2a8d63834605f46eacd0f464
Reviewed-on: https://gerrit.libreoffice.org/69410
Reviewed-by: Szymon Kłos <szymon.k...@collabora.com>
Tested-by: Szymon Kłos <szymon.k...@collabora.com>
diff --git a/loleaflet/js/toolbar.js b/loleaflet/js/toolbar.js
index 5a5020bfb..71327fa7c 100644
--- a/loleaflet/js/toolbar.js
+++ b/loleaflet/js/toolbar.js
@@ -2369,11 +2369,16 @@ function updateUserListCount() {
}
}
+function escapeHtml(input) {
+ return $('<div>').text(input).html();
+}
+
function onAddView(e) {
+ var username = escapeHtml(e.username);
$('#tb_actionbar_item_userlist')
.w2overlay({
class: 'loleaflet-font',
- html: userJoinedPopupMessage.replace('%user',
e.username),
+ html: userJoinedPopupMessage.replace('%user', username),
style: 'padding: 5px'
});
clearTimeout(userPopupTimeout);
@@ -2383,7 +2388,6 @@ function onAddView(e) {
userPopupTimeout = null;
}, 3000);
- var username = e.username;
var color = L.LOUtil.rgbToHex(map.getViewColor(e.viewId));
if (e.viewId === map._docLayer._viewId) {
username = _('You');
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
