Fixed security breach in conversations system

2025-05-28 01:52:07 +00:00 · 2017-07-04 21:13:02 +02:00 · 2017-07-04 21:13:02 +02:00 · 6251d47ca0
commit 6251d47ca0
parent 798e43d446
2 changed files with 28 additions and 1 deletions
--- a/assets/js/common/utils.js
+++ b/assets/js/common/utils.js
@ -290,3 +290,30 @@ function checkString(value){
 	return true;

 }
+
+/**
+ * Remove HTML carachters : < and >
+ * 
+ * @param {String} input The string to change
+ * @return {String} The updated string
+ */
+function removeHtmlTags(input){
+	
+	//Prepare update
+	var output = input;
+	
+	//Replace opening braces
+	while(output.includes("<")){
+		//Replace an occurence
+		output = output.replace("<", "&lt;");
+	}
+
+	//Replace closing braces
+	while(output.includes(">")){
+		//Replace an occurence
+		output = output.replace(">", "&gt;");
+	}
+	
+	//Return result
+	return output;
+}
--- a/assets/js/components/conversations/chatWindows.js
+++ b/assets/js/components/conversations/chatWindows.js
@ -789,7 +789,7 @@ ComunicWeb.components.conversations.chatWindows = {
 		var textMessage = createElem2({
 			appendTo: messageTargetElem,
 			type: "span",
-			innerHTML: messageInfos.message,
+			innerHTML: removeHtmlTags(messageInfos.message), //Remove HTML tags
 		});

 		//Check if an image has to be added