fix: escape html in messages

This commit is contained in:
Richard Ramos 2020-09-01 15:05:20 -04:00 committed by Iuri Matias
parent 1e020a203c
commit 782e89508c
4 changed files with 16 additions and 13 deletions

View File

@ -3,6 +3,7 @@ import ../../../status/chat/[chat, message]
import ../../../status/status import ../../../status/status
import ../../../status/ens import ../../../status/ens
import ../../../status/accounts import ../../../status/accounts
import strformat, strutils
type type
ChannelsRoles {.pure.} = enum ChannelsRoles {.pure.} = enum
@ -158,7 +159,7 @@ QtObject:
case elem.textType: case elem.textType:
of "mention": result = self.userNameOrAlias(elem.literal) of "mention": result = self.userNameOrAlias(elem.literal)
of "link": result = elem.destination of "link": result = elem.destination
else: result = elem.literal else: result = escape_html(elem.literal.strip)
proc renderBlock(self: ChannelsList, message: Message): string = proc renderBlock(self: ChannelsList, message: Message): string =
for pMsg in message.parsedText: for pMsg in message.parsedText:
@ -167,4 +168,5 @@ QtObject:
for children in pMsg.children: for children in pMsg.children:
result = result & self.renderInline(children) result = result & self.renderInline(children)
else: else:
result = pMsg.literal result = escape_html(pMsg.literal.strip)

View File

@ -15,14 +15,15 @@ proc mention(self: ChatMessageList, pubKey: string): string =
# See render-inline in status-react/src/status_im/ui/screens/chat/message/message.cljs # See render-inline in status-react/src/status_im/ui/screens/chat/message/message.cljs
proc renderInline(self: ChatMessageList, elem: TextItem): string = proc renderInline(self: ChatMessageList, elem: TextItem): string =
let value = escape_html(elem.literal.strip)
case elem.textType: case elem.textType:
of "": result = elem.literal of "": result = value
of "code": result = fmt("<code>{elem.literal.strip}</code> ") of "code": result = fmt("<code>{value}</code> ")
of "emph": result = fmt("<em>{elem.literal}</em> ") of "emph": result = fmt("<em>{value}</em> ")
of "strong": result = fmt("<strong>{elem.literal}</strong> ") of "strong": result = fmt("<strong>{value}</strong> ")
of "link": result = elem.destination of "link": result = elem.destination
of "mention": result = fmt("<a href=\"//{elem.literal}\" class=\"mention\">{self.mention(elem.literal)}</a> ") of "mention": result = fmt("<a href=\"//{value}\" class=\"mention\">{self.mention(value)}</a> ")
of "status-tag": result = fmt("<a href=\"#{elem.literal}\" class=\"status-tag\">#{elem.literal}</a> ") of "status-tag": result = fmt("<a href=\"#{value}\" class=\"status-tag\">#{value}</a> ")
# See render-block in status-react/src/status_im/ui/screens/chat/message/message.cljs # See render-block in status-react/src/status_im/ui/screens/chat/message/message.cljs
proc renderBlock(self: ChatMessageList, message: Message): string = proc renderBlock(self: ChatMessageList, message: Message): string =
@ -36,8 +37,8 @@ proc renderBlock(self: ChatMessageList, message: Message): string =
result = result & self.renderInline(children) result = result & self.renderInline(children)
result = result & "</p>" result = result & "</p>"
of "blockquote": of "blockquote":
result = result & pMsg.literal.strip.split("\n").mapIt("<span>▍ " & it & "</span>").join("<br />") result = result & pMsg.literal.strip.split("\n").mapIt("<span>▍ " & escape_html(it) & "</span>").join("<br />")
of "codeblock": of "codeblock":
result = result & "<code>" & pMsg.literal.strip & "</code>" result = result & "<code>" & escape_html(pMsg.literal.strip) & "</code>"
result = result.strip() result = result.strip()

2
vendor/DOtherSide vendored

@ -1 +1 @@
Subproject commit 7d8edc6db225057af5592e2f20c7470fac83fbaf Subproject commit f08d304398f3ec26e4f58a18f24906a470fa3efc

2
vendor/nimqml vendored

@ -1 +1 @@
Subproject commit 57d6e6459daab1d357adafcbf7cb008f5b8969e5 Subproject commit 1d1933374c104dba818253ec904e7bb69e92d77c