summaryrefslogtreecommitdiffstats
path: root/client/components
diff options
context:
space:
mode:
authorMaxime Quandalle <maxime@quandalle.com>2016-07-18 16:56:15 +0200
committerMaxime Quandalle <mquandalle@wekan.io>2016-07-20 22:21:41 +0200
commit1f3015bd2c03b0735f30ad8a695293cf1788df45 (patch)
tree4b3907cd01009108848f42d01a0a450a9b86b83f /client/components
parent3bc28b5e8ac469c19ea429e29c6a6e5677bd454a (diff)
downloadwekan-1f3015bd2c03b0735f30ad8a695293cf1788df45.tar.gz
wekan-1f3015bd2c03b0735f30ad8a695293cf1788df45.tar.bz2
wekan-1f3015bd2c03b0735f30ad8a695293cf1788df45.zip
Fix #573
Diffstat (limited to 'client/components')
-rwxr-xr-xclient/components/main/editor.js4
1 files changed, 3 insertions, 1 deletions
diff --git a/client/components/main/editor.js b/client/components/main/editor.js
index 17429067..95a96236 100755
--- a/client/components/main/editor.js
+++ b/client/components/main/editor.js
@@ -44,6 +44,8 @@ Template.editor.onRendered(() => {
]);
});
+import sanitizeXss from 'xss';
+
// XXX I believe we should compute a HTML rendered field on the server that
// would handle markdown, emoji and user mentions. We can simply have two
// fields, one source, and one compiled version (in HTML) and send only the
@@ -86,7 +88,7 @@ Blaze.Template.registerHelper('mentions', new Template('mentions', function() {
content = content.replace(fullMention, Blaze.toHTML(link));
}
- return HTML.Raw(content);
+ return HTML.Raw(sanitizeXss(content));
}));
Template.viewer.events({