From dbc1d26966fba0fdbb8473f505a35634a484a7a3 Mon Sep 17 00:00:00 2001
From: Jonathan Rainville <rainville.jonathan@gmail.com>
Date: Thu, 5 Nov 2020 15:03:53 -0500
Subject: [PATCH] fix: protect against XSS in chat names

---
 ui/app/AppLayouts/Chat/components/GroupChatPopup.qml | 2 +-
 ui/imports/Utils.qml                                 | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ui/app/AppLayouts/Chat/components/GroupChatPopup.qml b/ui/app/AppLayouts/Chat/components/GroupChatPopup.qml
index e976a17907..501f79ad94 100644
--- a/ui/app/AppLayouts/Chat/components/GroupChatPopup.qml
+++ b/ui/app/AppLayouts/Chat/components/GroupChatPopup.qml
@@ -57,7 +57,7 @@ ModalPopup {
 
     function doJoin(){
         if(pubKeys.length === 0) return;
-        chatsModel.createGroup(groupName.text, JSON.stringify(pubKeys));
+        chatsModel.createGroup(Utils.filterXSS(groupName.text), JSON.stringify(pubKeys));
         popup.close();
     }
 
diff --git a/ui/imports/Utils.qml b/ui/imports/Utils.qml
index b63b546cb0..2ab725083d 100644
--- a/ui/imports/Utils.qml
+++ b/ui/imports/Utils.qml
@@ -54,8 +54,11 @@ QtObject {
         var replacePattern2 = /(^|[^\/])(www\.[\S]+(\b|$))/gim;
         replacedText = replacedText.replace(replacePattern2, "$1<a href='http://$2'>$2</a>");
 
-        replacedText = XSS.filterXSS(replacedText)
-        return replacedText;
+        return XSS.filterXSS(replacedText)
+    }
+
+    function filterXSS(inputText) {
+        return XSS.filterXSS(inputText)
     }
 
     function toLocaleString(val, locale, options) {