[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - loleaflet/src

[Pranav Kant]

 loleaflet/src/layer/marker/Annotation.js |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

New commits:
commit 69d7e374bed61e142664345ddf40d0d30ef2b3af
Author: Pranav Kant <pranavk at collabora.co.uk>
Date:   Tue Jun 6 18:21:24 2017 +0530

    Allow links in comments
    
    Change-Id: I033ab7fe09ece8da10bc61fc2102cce80c1e24b0
    (cherry picked from commit 5e9ed0c8cb9ced0854286a9ad51e0ec763360a0a)
    Reviewed-on: https://gerrit.libreoffice.org/38449
    Reviewed-by: Jan Holesovsky <kendy at collabora.com>
    Tested-by: Jan Holesovsky <kendy at collabora.com>

diff --git a/loleaflet/src/layer/marker/Annotation.js b/loleaflet/src/layer/marker/Annotation.js
index 8b3e0653..e60c4379 100644
--- a/loleaflet/src/layer/marker/Annotation.js
+++ b/loleaflet/src/layer/marker/Annotation.js
@@ -286,8 +286,14 @@ L.Annotation = L.Layer.extend({
 	},
 
 	_updateContent: function () {
-		var linkedText = Autolinker.link(this._data.text);
-		$(this._contentText).text(linkedText);
+		// .text() method will escape the string, does not interpret the string as HTML
+		$(this._contentText).text(this._data.text);
+		// Get the escaped HTML out and find for possible, useful links
+		var linkedText = Autolinker.link($(this._contentText).html());
+		// Set the property of text field directly. This is insecure otherwise because it doesn't escape the input
+		// But we have already escaped the input before and only thing we are adding on top of that is Autolinker
+		// generated text.
+		this._contentText.innerHTML = linkedText;
 		// Original unlinked text
 		this._contentText.origText = this._data.text;
 		$(this._nodeModifyText).text(this._data.text);