[Libreoffice-commits] online.git: Branch 'libreoffice-5-4' - loleaflet/src

[Pranav Kant]

 loleaflet/src/layer/marker/Annotation.js |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

New commits:
commit 4f72de43d606f3c927de0cd18cf7622bf7c82c5b
Author: Pranav Kant <pranavk at collabora.co.uk>
Date:   Tue Jun 6 18:21:24 2017 +0530

    Allow links in comments
    
    Change-Id: I033ab7fe09ece8da10bc61fc2102cce80c1e24b0
    (cherry picked from commit 5e9ed0c8cb9ced0854286a9ad51e0ec763360a0a)
    Reviewed-on: https://gerrit.libreoffice.org/48961
    Reviewed-by: Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
    Tested-by: Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>

diff --git a/loleaflet/src/layer/marker/Annotation.js b/loleaflet/src/layer/marker/Annotation.js
index 5c577289..8226335c 100644
--- a/loleaflet/src/layer/marker/Annotation.js
+++ b/loleaflet/src/layer/marker/Annotation.js
@@ -285,8 +285,14 @@ L.Annotation = L.Layer.extend({
 	},
 
 	_updateContent: function () {
-		var linkedText = Autolinker.link(this._data.text);
-		$(this._contentText).text(linkedText);
+		// .text() method will escape the string, does not interpret the string as HTML
+		$(this._contentText).text(this._data.text);
+		// Get the escaped HTML out and find for possible, useful links
+		var linkedText = Autolinker.link($(this._contentText).html());
+		// Set the property of text field directly. This is insecure otherwise because it doesn't escape the input
+		// But we have already escaped the input before and only thing we are adding on top of that is Autolinker
+		// generated text.
+		this._contentText.innerHTML = linkedText;
 		// Original unlinked text
 		this._contentText.origText = this._data.text;
 		$(this._nodeModifyText).text(this._data.text);