From 6251d47ca0b44264542195237085f6c93ec4e094 Mon Sep 17 00:00:00 2001 From: Pierre Date: Tue, 4 Jul 2017 21:13:02 +0200 Subject: [PATCH] Fixed security breach in conversations system --- assets/js/common/utils.js | 27 +++++++++++++++++++ .../components/conversations/chatWindows.js | 2 +- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/assets/js/common/utils.js b/assets/js/common/utils.js index 4272ebe7..a5ce092b 100644 --- a/assets/js/common/utils.js +++ b/assets/js/common/utils.js @@ -289,4 +289,31 @@ function checkString(value){ //Success, the string seems to be valid return true; +} + +/** + * Remove HTML carachters : < and > + * + * @param {String} input The string to change + * @return {String} The updated string + */ +function removeHtmlTags(input){ + + //Prepare update + var output = input; + + //Replace opening braces + while(output.includes("<")){ + //Replace an occurence + output = output.replace("<", "<"); + } + + //Replace closing braces + while(output.includes(">")){ + //Replace an occurence + output = output.replace(">", ">"); + } + + //Return result + return output; } \ No newline at end of file diff --git a/assets/js/components/conversations/chatWindows.js b/assets/js/components/conversations/chatWindows.js index 60a6338e..61257876 100644 --- a/assets/js/components/conversations/chatWindows.js +++ b/assets/js/components/conversations/chatWindows.js @@ -789,7 +789,7 @@ ComunicWeb.components.conversations.chatWindows = { var textMessage = createElem2({ appendTo: messageTargetElem, type: "span", - innerHTML: messageInfos.message, + innerHTML: removeHtmlTags(messageInfos.message), //Remove HTML tags }); //Check if an image has to be added