diff options
author | DJ Mountney <david@twkie.net> | 2017-06-08 19:48:10 +0300 |
---|---|---|
committer | DJ Mountney <david@twkie.net> | 2017-06-08 19:48:10 +0300 |
commit | 7113b1a45bd29318c3ec5ea5f61b1d523868ef4d (patch) | |
tree | 94d5b473f9db263c5ac2a81791531c0444819163 /app/assets/javascripts/notes.js | |
parent | e9002222a0fc65e4e3328c7c536e43516986eb40 (diff) |
Merge branch 'cherry-pick-dc2ac993' into 'security-9-2'
Escapes html content before appending it to the DOM
See merge request !2107
Diffstat (limited to 'app/assets/javascripts/notes.js')
-rw-r--r-- | app/assets/javascripts/notes.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/app/assets/javascripts/notes.js b/app/assets/javascripts/notes.js index 929965de5c1..b0143b12cfe 100644 --- a/app/assets/javascripts/notes.js +++ b/app/assets/javascripts/notes.js @@ -1478,7 +1478,7 @@ const normalizeNewlines = function(str) { const cachedNoteBodyText = $noteBodyText.html(); // Show updated comment content temporarily - $noteBodyText.html(formContent); + $noteBodyText.html(_.escape(formContent)); $editingNote.removeClass('is-editing fade-in-full').addClass('being-posted fade-in-half'); $editingNote.find('.note-headline-meta a').html('<i class="fa fa-spinner fa-spin" aria-label="Comment is being updated" aria-hidden="true"></i>'); @@ -1491,7 +1491,7 @@ const normalizeNewlines = function(str) { }) .fail(() => { // Submission failed, revert back to original note - $noteBodyText.html(cachedNoteBodyText); + $noteBodyText.html(_.escape(cachedNoteBodyText)); $editingNote.removeClass('being-posted fade-in'); $editingNote.find('.fa.fa-spinner').remove(); |