compose: Generate properly escaped HTML.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg 2021-02-03 14:48:26 -08:00 committed by Tim Abbott
parent 154fc03fa5
commit f8d11c6479
1 changed files with 2 additions and 1 deletions

View File

@ -1,6 +1,7 @@
"use strict"; "use strict";
const Handlebars = require("handlebars/runtime"); const Handlebars = require("handlebars/runtime");
const _ = require("lodash");
const render_compose_all_everyone = require("../templates/compose_all_everyone.hbs"); const render_compose_all_everyone = require("../templates/compose_all_everyone.hbs");
const render_compose_announce = require("../templates/compose_announce.hbs"); const render_compose_announce = require("../templates/compose_announce.hbs");
@ -901,7 +902,7 @@ exports.render_and_show_preview = function (preview_spinner, preview_content_box
// Handle previews of /me messages // Handle previews of /me messages
rendered_preview_html = rendered_preview_html =
"<p><strong>" + "<p><strong>" +
page_params.full_name + _.escape(page_params.full_name) +
"</strong>" + "</strong>" +
rendered_content.slice("<p>/me".length); rendered_content.slice("<p>/me".length);
} else { } else {