From 3d911f2a22ec74699830a9db5f1474539eaadb86 Mon Sep 17 00:00:00 2001 From: Danila Fedorin Date: Mon, 26 Jul 2021 14:49:06 -0700 Subject: [PATCH] Add escaping to replies --- .../room/timeline/entries/BaseEventEntry.js | 26 +++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/src/matrix/room/timeline/entries/BaseEventEntry.js b/src/matrix/room/timeline/entries/BaseEventEntry.js index a9825eaa..9782c530 100644 --- a/src/matrix/room/timeline/entries/BaseEventEntry.js +++ b/src/matrix/room/timeline/entries/BaseEventEntry.js @@ -19,6 +19,10 @@ import {REDACTION_TYPE} from "../../common.js"; import {createAnnotation, createReply, ANNOTATION_RELATION_TYPE, getRelationFromContent} from "../relations.js"; import {PendingAnnotation} from "../PendingAnnotation.js"; +function htmlEscape(string) { + return string.replace(/&/g, "&").replace(//g, ">"); +} + /** Deals mainly with local echo for relations and redactions, * so it is shared between PendingEventEntry and EventEntry */ export class BaseEventEntry extends BaseEntry { @@ -168,15 +172,21 @@ export class BaseEventEntry extends BaseEntry { return this.content.msgtype === "m.emote" ? "* " : ""; } + get _formattedBody() { + return this.content.formatted_body || (this.content.body && htmlEscape(this.content.body)); + } + + get _plainBody() { + return this.content.body; + } + _replyFormattedFallback() { - // TODO check for absense? - // TODO escape and tranform unformatted body as needed - const body = this._fallbackBlurb() || this.content.formatted_body || this.content.body; + const body = this._fallbackBlurb() || this._formattedBody || ""; const prefix = this._fallbackPrefix(); return `
In reply to - ${prefix}${this.displayName} + ${prefix}${this.displayName || this.sender}
${body}
@@ -184,16 +194,16 @@ export class BaseEventEntry extends BaseEntry { } _replyBodyFallback() { - // TODO check for absense? - const body = this._fallbackBlurb() || this.content.body; + const body = this._fallbackBlurb() || this._plainBody || ""; const bodyLines = body.split("\n"); bodyLines[0] = `> <${this.sender}> ${bodyLines[0]}` - return `${bodyLines.join("\n> ")}`; + return bodyLines.join("\n> "); } reply(msgtype, body) { + // TODO check for absense of sender / body / msgtype / etc? const newBody = this._replyBodyFallback() + '\n\n' + body; - const newFormattedBody = this._replyFormattedFallback() + body; + const newFormattedBody = this._replyFormattedFallback() + htmlEscape(body); return createReply(this.id, msgtype, newBody, newFormattedBody); }